CICD on Bastab C https://bastabc.com/ Recent content in CICD on Bastab C Hugo -- gohugo.io en-us Sun, 27 Jul 2025 00:00:00 +0000 Infrastructure as Code with AWS CDK - Series Overview https://bastabc.com/posts/aws-cdk-infrastructure-as-code/ Mon, 21 Apr 2025 00:00:00 +0000 https://bastabc.com/posts/aws-cdk-infrastructure-as-code/ <p>AWS CDK lets you define cloud infrastructure in familiar programming languages - Python, TypeScript, Java - and synthesise it into CloudFormation. Compared to writing raw CloudFormation or Terraform HCL, CDK gives you loops, conditionals, type safety, and reusable constructs.</p> <p>This series covers practical CDK patterns using Python, with a consistent use case across all parts so the trade-offs are easy to compare.</p> <hr> <h2 id="why-cdk-over-cloudformation-for-aws-native-workloads">Why CDK over CloudFormation for AWS-native workloads?</h2> <ul> <li>CloudFormation is YAML or JSON - no loops, no conditionals, no abstraction. Any shared pattern gets copy-pasted.</li> <li>CDK uses a real programming language - loops, functions, classes, and type checks all apply to infrastructure the same way they apply to application code.</li> <li>L2 constructs handle boilerplate. <code>bucket.grant_read(fn)</code> generates the IAM policy, role attachment, and resource reference in one call. The CloudFormation equivalent is four resources wired together manually.</li> <li>The compiler catches mistakes before CloudFormation ever sees the template.</li> <li>CDK still synthesises to CloudFormation under the hood - rollbacks, drift detection, and stack history are unchanged.</li> </ul> <hr> <h2 id="why-cdk-over-terraform-for-aws-native-workloads">Why CDK over Terraform for AWS-native workloads?</h2> <ul> <li>Terraform&rsquo;s strength is multi-cloud. For AWS-only workloads, that comes with overhead that doesn&rsquo;t pay off - a state backend, a provider version to pin, and HCL alongside the application code.</li> <li>CDK uses CloudFormation as the deployment engine - AWS manages state natively. No S3 bucket for state, no DynamoDB table for locking, no <code>terraform init</code> in the pipeline.</li> <li>New AWS services appear in CDK constructs faster.</li> <li>IAM is easier. Terraform requires writing policy JSON by hand and threading ARNs between resources. CDK&rsquo;s <code>grant_*</code> methods generate least-privilege policies from the resource graph.</li> <li>Terraform is the right call when infrastructure spans multiple cloud providers, or when the team already has a mature Terraform codebase.</li> </ul> <hr> <h2 id="use-case">Use case</h2> <div class="callout callout-aws4"> Deploy an AWS Lambda function that processes files uploaded to an S3 bucket. Configuration - bucket name, log level, Lambda timeout - varies per environment (dev, staging, prod). </div> <p>Simple infrastructure by design - the CDK patterns are the point, not the resources.</p> <hr> <h2 id="the-series">The series</h2> <h3 id="chapter-1---project-setup-and-bootstrapping"><a href="https://bastabc.com/posts/aws-cdk-project-setup-and-bootstrapping/">Chapter 1 - Project setup and bootstrapping</a></h3> <p>Getting a CDK project off the ground - directory structure, virtual environments, bootstrapping an AWS account, and understanding the synth/deploy cycle.</p> <hr> <h3 id="chapter-2---managing-configuration-and-context"><a href="https://bastabc.com/posts/aws-cdk-managing-configuration-and-context/">Chapter 2 - Managing configuration and context</a></h3> <p>How environment-specific values flow into CDK stacks - four approaches covering local static config, local dynamic config, SSM Parameter Store, and Secrets Manager, with trade-offs and code examples for each.</p> <hr> <h3 id="chapter-3---writing-and-sharing-constructs"><a href="https://bastabc.com/posts/aws-cdk-writing-constructs/">Chapter 3 - Writing and sharing constructs</a></h3> <p>Building L3 constructs - extracting resources into reusable units, the keyword-only props pattern, and sharing constructs across stacks.</p> <hr> <h3 id="chapter-4---testing-cdk-stacks"><a href="https://bastabc.com/posts/aws-cdk-testing-stacks/">Chapter 4 - Testing CDK stacks</a></h3> <p>Unit testing constructs and stacks with <code>aws_cdk.assertions</code> - fine-grained assertions, snapshot testing, and when each applies.</p> <hr> <h3 id="chapter-5---cicd-with-cdk"><a href="https://bastabc.com/posts/aws-cdk-cicd/">Chapter 5 - CI/CD with CDK</a></h3> <p>Automating CDK deployments with GitHub Actions, Jenkins, and Azure DevOps - auth setup, multi-environment promotion, and approval gates.</p> <hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li>All examples use Python and CDK v2.</li> <li>Steps are tested on WSL2/Ubuntu on Windows and native macOS terminal.</li> <li>More chapters added as I work through these patterns.</li> </ol> </div> AWS Kiro CLI - Manage AWS Infrastructure from the Terminal https://bastabc.com/posts/aws-kiro-cli/ Sat, 02 May 2026 00:00:00 +0000 https://bastabc.com/posts/aws-kiro-cli/ <p>Kiro CLI is an AI-assisted terminal tool for AWS, rebranded from Amazon Q Developer CLI in November 2025. It sits on top of your existing AWS credentials and tooling. The <code>q</code> and <code>q chat</code> shortcuts from Q CLI still work but <code>kiro-cli</code> is the current entry point.</p> <hr> <h2 id="install">Install</h2> <p><strong>macOS</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>brew install --cask kiro-cli </span></span></code></pre></div><p>Or via script:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -fsSL https://cli.kiro.dev/install | bash </span></span></code></pre></div><p><strong>Windows (PowerShell)</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>irm <span style="color:#e6db74">&#39;https://cli.kiro.dev/install.ps1&#39;</span> | iex </span></span></code></pre></div><p><strong>Linux / WSL2 (Ubuntu / Debian) - .deb</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wget https://desktop-release.q.us-east-1.amazonaws.com/latest/kiro-cli.deb </span></span><span style="display:flex;"><span>sudo dpkg -i kiro-cli.deb </span></span><span style="display:flex;"><span>sudo apt-get install -f </span></span></code></pre></div><p><strong>Linux - ZIP (x86-64, non-Debian distros)</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl --proto <span style="color:#e6db74">&#39;=https&#39;</span> --tlsv1.2 -sSf <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> <span style="color:#e6db74">&#39;https://desktop-release.q.us-east-1.amazonaws.com/latest/kirocli-x86_64-linux.zip&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -o kirocli.zip </span></span><span style="display:flex;"><span>unzip kirocli.zip </span></span><span style="display:flex;"><span>./kirocli/install.sh </span></span></code></pre></div><p>Verify:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kiro-cli version </span></span><span style="display:flex;"><span>kiro-cli doctor <span style="color:#75715e"># diagnoses config and auth issues</span> </span></span></code></pre></div><hr> <h2 id="authenticate">Authenticate</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kiro-cli login <span style="color:#75715e"># opens browser to complete sign-in</span> </span></span><span style="display:flex;"><span>kiro-cli whoami <span style="color:#75715e"># shows current user and auth method</span> </span></span><span style="display:flex;"><span>kiro-cli logout </span></span></code></pre></div><p><strong>AWS Builder ID</strong> - free individual account at builder.aws. No existing AWS account required. Enough to get started with 50 free credits/month (500 bonus credits on first sign-in).</p> <p><strong>Builder ID with AWS accounts</strong> - You can log in to Kiro with a personal Builder ID for the AI features, and connect to your AWS account using AWS SSO profile. Kiro picks up AWS credentials are active in the environment:</p> <p>Set the profile for the session and run commands targeting the profile:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>export AWS_PROFILE<span style="color:#f92672">=</span>my-prod </span></span><span style="display:flex;"><span>aws sts get-caller-identity <span style="color:#75715e"># confirm which account is active</span> </span></span><span style="display:flex;"><span>aws sts get-caller-identity --profile my-prod </span></span><span style="display:flex;"><span>kiro-cli chat <span style="color:#e6db74">&#34;get Compute Optimizer recommendations&#34;</span> </span></span></code></pre></div><hr> <h2 id="key-commands">Key commands</h2> <p><code>kiro-cli</code> with no arguments opens an interactive session - type prompts directly without any prefix. <code>kiro-cli chat &quot;prompt&quot;</code> is for scripted or one-shot use.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kiro-cli <span style="color:#75715e"># interactive session - type prompts directly</span> </span></span><span style="display:flex;"><span>kiro-cli chat <span style="color:#e6db74">&#34;your prompt&#34;</span> <span style="color:#75715e"># start session with an initial prompt</span> </span></span><span style="display:flex;"><span>kiro-cli chat --resume <span style="color:#75715e"># continue previous session</span> </span></span><span style="display:flex;"><span>kiro-cli chat --no-interactive <span style="color:#e6db74">&#34;prompt&#34;</span> <span style="color:#75715e"># one-shot, no interaction - useful in scripts</span> </span></span><span style="display:flex;"><span>kiro-cli translate <span style="color:#e6db74">&#34;list S3 buckets&#34;</span> <span style="color:#75715e"># natural language to shell command</span> </span></span><span style="display:flex;"><span>kiro-cli agent list <span style="color:#75715e"># list available agents</span> </span></span><span style="display:flex;"><span>kiro-cli mcp add <span style="color:#75715e"># add an MCP server</span> </span></span><span style="display:flex;"><span>kiro-cli mcp list <span style="color:#75715e"># list configured MCP servers</span> </span></span><span style="display:flex;"><span>kiro-cli mcp status <span style="color:#75715e"># check MCP server health</span> </span></span><span style="display:flex;"><span>kiro-cli settings list <span style="color:#75715e"># view current settings</span> </span></span><span style="display:flex;"><span>kiro-cli update <span style="color:#75715e"># upgrade to latest version</span> </span></span></code></pre></div><hr> <h2 id="infrastructure-workflows">Infrastructure workflows</h2> <p>Kiro CLI does not call AWS APIs directly - it generates and optionally runs commands using your existing AWS credentials. A few patterns that work well:</p> <p><strong>Generate and run AWS CLI commands from natural language:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kiro-cli translate <span style="color:#e6db74">&#34;list all EC2 instances in us-east-1 with their state&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># outputs: aws ec2 describe-instances --region us-east-1 --query ...</span> </span></span></code></pre></div><p><strong>Pipe AWS CLI output into chat for analysis:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws cloudwatch describe-alarms --state-value ALARM | <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> kiro-cli chat --no-interactive <span style="color:#e6db74">&#34;summarise these alarms and suggest remediation&#34;</span> </span></span></code></pre></div><p><strong>Generate Terraform or CloudFormation:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kiro-cli chat <span style="color:#e6db74">&#34;write a Terraform module for a private S3 bucket with versioning and a 90-day lifecycle rule to Glacier&#34;</span> </span></span></code></pre></div><p><strong>Use in CI without interaction:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>KIRO_API_KEY<span style="color:#f92672">=</span>ksk_xxxxxxxx kiro-cli chat --no-interactive <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> <span style="color:#e6db74">&#34;explain this deployment error: </span><span style="color:#66d9ef">$(</span>cat deploy.log | tail -50<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><p><strong>Run commands with auto-approval in trusted environments:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kiro-cli chat --trust-all-tools <span style="color:#e6db74">&#34;get Compute Optimizer recommendations for my account&#34;</span> </span></span></code></pre></div><hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li>If migrating from Q CLI, config migrates automatically from <code>~/.aws/amazonq</code> to <code>~/.kiro</code> on first run.</li> <li><code>kiro-cli doctor</code> is the first thing to run if auth or config behaves unexpectedly.</li> <li>The CLI is not open source - the license changed from Apache to AWS Intellectual Property License with the Kiro rebrand.</li> </ol> </div> GitHub PR Fix: "Commits must have verified signatures" blocking PR merge https://bastabc.com/posts/fix-gpg-signature-verification-blocking-pr-merge/ Sat, 25 Apr 2026 00:00:00 +0000 https://bastabc.com/posts/fix-gpg-signature-verification-blocking-pr-merge/ <h2 id="problem">Problem</h2> <p>GitHub branch protection requires all commits to have verified GPG signatures. Two commits at the base of the branch (made before GPG signing was configured) were unsigned, blocking the merge.</p> <hr> <h2 id="root-cause">Root cause</h2> <p>Commits made before <code>commit.gpgsign=true</code> was configured in git have no GPG signature. GitHub requires all commits in a PR to be verified - one unsigned commit blocks the merge regardless of approvals.</p> <hr> <h2 id="steps-to-fix">Steps to fix</h2> <h3 id="1-identify-unsigned-commits">1. Identify unsigned commits</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git log --format<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;%G? %ad %s&#34;</span> --date<span style="color:#f92672">=</span>short origin/main..HEAD </span></span></code></pre></div><p>Look for lines starting with <code>N</code> (no signature). Note the hash of the oldest unsigned commit&rsquo;s parent on main.</p> <h3 id="2-re-sign-all-branch-commits-using-filter-branch">2. Re-sign all branch commits using filter-branch</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git filter-branch -f --commit-filter <span style="color:#e6db74">&#39;git commit-tree -S &#34;$@&#34;&#39;</span> -- origin/main..HEAD </span></span></code></pre></div><p>Rewrites all branch commits adding a GPG signature - no content changes, no conflicts.</p> <h3 id="3-verify-no-unsigned-commits-remain">3. Verify no unsigned commits remain</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git log --format<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;%G?&#34;</span> origin/main..HEAD | Select-String <span style="color:#e6db74">&#34;^N</span>$<span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><p>Should return nothing.</p> <h3 id="4-force-push">4. Force push</h3> <p>Attempt force push via terminal using the configured remote:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git push --force origin &lt;branch&gt; </span></span></code></pre></div><p>If this fails with &ldquo;repository not found&rdquo; (HTTPS remote, no credentials) or &ldquo;Could not read from remote repository&rdquo; (SSH not configured), use a classic PAT with repo scope directly in the URL:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git push --force https://&lt;username&gt;:&lt;PAT&gt;@github.com/&lt;org&gt;/&lt;repo&gt;.git &lt;branch&gt; </span></span></code></pre></div><h3 id="5-update-local-tracking-ref-if-github-desktop-shows-stale-state">5. Update local tracking ref (if GitHub Desktop shows stale state)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git update-ref refs/remotes/origin/&lt;branch&gt; &lt;tip-commit-hash&gt; </span></span></code></pre></div><hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li>Avoid <code>git rebase --exec &quot;git commit --amend -S&quot;</code> if the branch has merge commits - it drops them and causes conflicts.</li> <li>Avoid <code>git rebase --rebase-merges</code> - re-applying old merge commits causes conflicts from the original merges.</li> <li><code>filter-branch</code> rewrites commit objects without replaying merges, which is what&rsquo;s needed here.</li> <li>Fine-grained PATs do not work for org repositories - use classic PAT only.</li> <li>After force pushing, avoid <code>git pull</code> / IDE auto-sync until the PR is merged - it will re-introduce the old unsigned commits via a new merge.</li> </ol> </div> AWS CDK - CI/CD Pipelines https://bastabc.com/posts/aws-cdk-cicd/ Sun, 27 Jul 2025 00:00:00 +0000 https://bastabc.com/posts/aws-cdk-cicd/ <p>This is Chapter 5 of the <a href="https://bastabc.com/posts/aws-cdk-infrastructure-as-code/">Infrastructure as Code with AWS CDK</a> series. The same <code>cdk deploy</code> command that runs locally works in any pipeline - the differences are auth and orchestration.</p> <hr> <h2 id="common-flags-for-ci">Common flags for CI</h2> <p>These apply regardless of which CI system you use:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cdk synth <span style="color:#75715e"># generate CloudFormation template</span> </span></span><span style="display:flex;"><span>cdk deploy --require-approval never -c env<span style="color:#f92672">=</span>prod <span style="color:#75715e"># deploy without interactive prompts</span> </span></span><span style="display:flex;"><span>cdk deploy --outputs-file outputs.json <span style="color:#75715e"># write stack outputs to file</span> </span></span></code></pre></div><p><code>--require-approval never</code> skips the IAM change confirmation that CDK shows interactively. Required in CI.</p> <p><code>-c env=prod</code> passes the environment context from <a href="https://bastabc.com/posts/aws-cdk-managing-configuration-and-context/">Chapter 2</a>.</p> <hr> <h2 id="github-actions">GitHub Actions</h2> <h3 id="auth">Auth</h3> <p>OIDC is the recommended auth method - no long-lived credentials stored in GitHub. The pipeline assumes an IAM role directly via GitHub&rsquo;s OIDC provider.</p> <p>Create the OIDC provider in AWS once per account:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws iam create-open-id-connect-provider <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --url https://token.actions.githubusercontent.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --client-id-list sts.amazonaws.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --thumbprint-list 6938fd4d98bab03faadb97b34396831e3780aea1 </span></span></code></pre></div><p>Create an IAM role with a trust policy scoped to your repository:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Version&#34;</span>: <span style="color:#e6db74">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Statement&#34;</span>: [{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Effect&#34;</span>: <span style="color:#e6db74">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Principal&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Federated&#34;</span>: <span style="color:#e6db74">&#34;arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Action&#34;</span>: <span style="color:#e6db74">&#34;sts:AssumeRoleWithWebIdentity&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Condition&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;StringLike&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;token.actions.githubusercontent.com:sub&#34;</span>: <span style="color:#e6db74">&#34;repo:my-org/my-repo:*&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Attach whatever IAM policies the CDK deploy needs (CloudFormation, S3, Lambda, IAM) to this role.</p> <h3 id="workflow">Workflow</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#75715e"># .github/workflows/deploy.yml</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">name</span>: <span style="color:#ae81ff">Deploy</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">on</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">push</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">branches</span>: [<span style="color:#ae81ff">main]</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">permissions</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">id-token</span>: <span style="color:#ae81ff">write</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">contents</span>: <span style="color:#ae81ff">read</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">jobs</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">deploy-dev</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">runs-on</span>: <span style="color:#ae81ff">ubuntu-latest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">steps</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">actions/checkout@v4</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">actions/setup-python@v5</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">python-version</span>: <span style="color:#e6db74">&#34;3.12&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">actions/setup-node@v4</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">node-version</span>: <span style="color:#e6db74">&#34;20&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Install CDK CLI</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">npm install -g aws-cdk</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Install dependencies</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">pip install -r requirements.txt -r requirements-dev.txt</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Configure AWS credentials</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">aws-actions/configure-aws-credentials@v4</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">role-to-assume</span>: <span style="color:#ae81ff">arn:aws:iam::123456789012:role/GitHubActionsRole</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">aws-region</span>: <span style="color:#ae81ff">us-east-1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Synth</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">cdk synth -c env=dev</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Test</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">pytest</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Deploy dev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">cdk deploy --require-approval never -c env=dev</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">deploy-prod</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">runs-on</span>: <span style="color:#ae81ff">ubuntu-latest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">needs</span>: <span style="color:#ae81ff">deploy-dev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">environment</span>: <span style="color:#ae81ff">production</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">steps</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">actions/checkout@v4</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">actions/setup-python@v5</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">python-version</span>: <span style="color:#e6db74">&#34;3.12&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">actions/setup-node@v4</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">node-version</span>: <span style="color:#e6db74">&#34;20&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Install CDK CLI</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">npm install -g aws-cdk</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Install dependencies</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">pip install -r requirements.txt</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Configure AWS credentials</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">uses</span>: <span style="color:#ae81ff">aws-actions/configure-aws-credentials@v4</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">with</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">role-to-assume</span>: <span style="color:#ae81ff">arn:aws:iam::123456789012:role/GitHubActionsRole</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">aws-region</span>: <span style="color:#ae81ff">us-east-1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Deploy prod</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">cdk deploy --require-approval never -c env=prod</span> </span></span></code></pre></div><p>The <code>environment: production</code> job pauses for a manual approval before running. Configure required reviewers under Settings &gt; Environments &gt; production in the GitHub repository.</p> <hr> <h2 id="jenkins">Jenkins</h2> <h3 id="auth-1">Auth</h3> <p>The simplest setup: run the Jenkins agent on an EC2 instance with an IAM instance role. The CDK CLI picks up credentials automatically via the instance metadata service - no credentials to manage.</p> <p>If the agent is not on EC2, store AWS credentials as a Jenkins credential (Credentials &gt; Add &gt; AWS Credentials) and inject them into the pipeline with the <code>withCredentials</code> block.</p> <h3 id="jenkinsfile">Jenkinsfile</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-groovy" data-lang="groovy"><span style="display:flex;"><span>pipeline <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> agent any </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> environment <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> AWS_DEFAULT_REGION <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;us-east-1&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stages <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> stage<span style="color:#f92672">(</span><span style="color:#e6db74">&#39;Install&#39;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> steps <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> sh <span style="color:#e6db74">&#39;pip install -r requirements.txt -r requirements-dev.txt&#39;</span> </span></span><span style="display:flex;"><span> sh <span style="color:#e6db74">&#39;npm install -g aws-cdk&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stage<span style="color:#f92672">(</span><span style="color:#e6db74">&#39;Synth&#39;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> steps <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> sh <span style="color:#e6db74">&#39;cdk synth -c env=dev&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stage<span style="color:#f92672">(</span><span style="color:#e6db74">&#39;Test&#39;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> steps <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> sh <span style="color:#e6db74">&#39;pytest&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stage<span style="color:#f92672">(</span><span style="color:#e6db74">&#39;Deploy dev&#39;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> steps <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> sh <span style="color:#e6db74">&#39;cdk deploy --require-approval never -c env=dev&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stage<span style="color:#f92672">(</span><span style="color:#e6db74">&#39;Approve prod&#39;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> steps <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> input message: <span style="color:#e6db74">&#39;Deploy to production?&#39;</span><span style="color:#f92672">,</span> ok: <span style="color:#e6db74">&#39;Deploy&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stage<span style="color:#f92672">(</span><span style="color:#e6db74">&#39;Deploy prod&#39;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> steps <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> sh <span style="color:#e6db74">&#39;cdk deploy --require-approval never -c env=prod&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> post <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> failure <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#39;Pipeline failed - check CloudFormation events for rollback details&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span></code></pre></div><p>The <code>input</code> step pauses the pipeline until someone clicks Deploy in the Jenkins UI.</p> <p>If credentials are stored in Jenkins rather than on an instance role, wrap the deploy steps:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-groovy" data-lang="groovy"><span style="display:flex;"><span>withCredentials<span style="color:#f92672">([[</span> </span></span><span style="display:flex;"><span> $class<span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;AmazonWebServicesCredentialsBinding&#39;</span><span style="color:#f92672">,</span> </span></span><span style="display:flex;"><span> credentialsId: <span style="color:#e6db74">&#39;aws-deploy-credentials&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">]])</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> sh <span style="color:#e6db74">&#39;cdk deploy --require-approval never -c env=prod&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span></code></pre></div><hr> <h2 id="azure-devops">Azure DevOps</h2> <h3 id="auth-2">Auth</h3> <p>Store AWS credentials as secret pipeline variables (<code>AWS_ACCESS_KEY_ID</code>, <code>AWS_SECRET_ACCESS_KEY</code>) or use the AWS Toolkit for Azure DevOps extension, which adds an <code>AWSShellScript</code> task with a configured service connection.</p> <p>The example below uses secret variables directly, which works without the extension.</p> <h3 id="pipeline">Pipeline</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#75715e"># azure-pipelines.yml</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">trigger</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">branches</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">include</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">main</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">variables</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">pythonVersion</span>: <span style="color:#e6db74">&#34;3.12&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">awsRegion</span>: <span style="color:#e6db74">&#34;us-east-1&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">stages</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">stage</span>: <span style="color:#ae81ff">DeployDev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Deploy to dev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">jobs</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">job</span>: <span style="color:#ae81ff">Deploy</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">pool</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">vmImage</span>: <span style="color:#ae81ff">ubuntu-latest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">steps</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">task</span>: <span style="color:#ae81ff">UsePythonVersion@0</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">inputs</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">versionSpec</span>: <span style="color:#ae81ff">$(pythonVersion)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">script</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> pip install -r requirements.txt -r requirements-dev.txt </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> npm install -g aws-cdk</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Install dependencies</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">script</span>: <span style="color:#ae81ff">cdk synth -c env=dev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Synth</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">env</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_ACCESS_KEY_ID</span>: <span style="color:#ae81ff">$(AWS_ACCESS_KEY_ID)</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_SECRET_ACCESS_KEY</span>: <span style="color:#ae81ff">$(AWS_SECRET_ACCESS_KEY)</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_DEFAULT_REGION</span>: <span style="color:#ae81ff">$(awsRegion)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">script</span>: <span style="color:#ae81ff">pytest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Test</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">script</span>: <span style="color:#ae81ff">cdk deploy --require-approval never -c env=dev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Deploy dev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">env</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_ACCESS_KEY_ID</span>: <span style="color:#ae81ff">$(AWS_ACCESS_KEY_ID)</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_SECRET_ACCESS_KEY</span>: <span style="color:#ae81ff">$(AWS_SECRET_ACCESS_KEY)</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_DEFAULT_REGION</span>: <span style="color:#ae81ff">$(awsRegion)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">stage</span>: <span style="color:#ae81ff">DeployProd</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Deploy to prod</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">dependsOn</span>: <span style="color:#ae81ff">DeployDev</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">jobs</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">deployment</span>: <span style="color:#ae81ff">Deploy</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">environment</span>: <span style="color:#ae81ff">production</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">pool</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">vmImage</span>: <span style="color:#ae81ff">ubuntu-latest</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">strategy</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">runOnce</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">deploy</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">steps</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">checkout</span>: <span style="color:#ae81ff">self</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">task</span>: <span style="color:#ae81ff">UsePythonVersion@0</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">inputs</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">versionSpec</span>: <span style="color:#ae81ff">$(pythonVersion)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">script</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> pip install -r requirements.txt </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> npm install -g aws-cdk</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Install dependencies</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">script</span>: <span style="color:#ae81ff">cdk deploy --require-approval never -c env=prod</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">displayName</span>: <span style="color:#ae81ff">Deploy prod</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">env</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_ACCESS_KEY_ID</span>: <span style="color:#ae81ff">$(AWS_ACCESS_KEY_ID)</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_SECRET_ACCESS_KEY</span>: <span style="color:#ae81ff">$(AWS_SECRET_ACCESS_KEY)</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_DEFAULT_REGION</span>: <span style="color:#ae81ff">$(awsRegion)</span> </span></span></code></pre></div><p>The <code>deployment</code> job type with <code>environment: production</code> enables approval gates. Configure approvers under Pipelines &gt; Environments &gt; production in Azure DevOps.</p> <hr> <h2 id="aws-codepipeline">AWS CodePipeline</h2> <p>CDK ships a <code>pipelines</code> module that creates a CodePipeline pipeline directly from CDK code:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> pipelines </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>pipeline <span style="color:#f92672">=</span> pipelines<span style="color:#f92672">.</span>CodePipeline(self, <span style="color:#e6db74">&#34;Pipeline&#34;</span>, </span></span><span style="display:flex;"><span> synth<span style="color:#f92672">=</span>pipelines<span style="color:#f92672">.</span>ShellStep(<span style="color:#e6db74">&#34;Synth&#34;</span>, </span></span><span style="display:flex;"><span> input<span style="color:#f92672">=</span>pipelines<span style="color:#f92672">.</span>CodePipelineSource<span style="color:#f92672">.</span>git_hub(<span style="color:#e6db74">&#34;my-org/my-repo&#34;</span>, <span style="color:#e6db74">&#34;main&#34;</span>), </span></span><span style="display:flex;"><span> commands<span style="color:#f92672">=</span>[ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;pip install -r requirements.txt&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;npm install -g aws-cdk&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;cdk synth&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span>) </span></span></code></pre></div><p>The pipeline is self-mutating - when CDK code changes, the pipeline updates itself before deploying application changes. It is tightly coupled to CodePipeline and requires more upfront setup than the external CI approaches above, but is the right fit when the deployment needs to stay fully within AWS.</p> <hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li><code>--require-approval never</code> skips the IAM diff prompt. Review IAM changes in <code>cdk diff</code> output or pull request checks before merging rather than at deploy time.</li> <li>The <code>cdk.context.json</code> file should be committed - pipelines need it for SSM lookups cached in Chapter 2 to avoid live SSM calls on every run.</li> <li>CloudFormation automatically rolls back a failed deployment to the previous stable state. No extra rollback configuration is needed in the pipeline.</li> <li>For OIDC in GitHub Actions, scope the trust condition to a specific branch (<code>repo:my-org/my-repo:ref:refs/heads/main</code>) rather than <code>*</code> to limit which workflows can assume the role.</li> </ol> </div> AWS CDK - Testing CDK Stacks https://bastabc.com/posts/aws-cdk-testing-stacks/ Sat, 05 Jul 2025 00:00:00 +0000 https://bastabc.com/posts/aws-cdk-testing-stacks/ <p>This is Chapter 4 of the <a href="https://bastabc.com/posts/aws-cdk-infrastructure-as-code/">Infrastructure as Code with AWS CDK</a> series. Chapter 3 built <code>FileProcessorConstruct</code> - the tests here cover that construct and the stack it lives in.</p> <hr> <h2 id="how-cdk-testing-works">How CDK testing works</h2> <p>CDK unit tests don&rsquo;t deploy anything. They synthesize a stack into a CloudFormation template and run assertions against that template. No AWS credentials needed, and the suite runs in CI without any special setup.</p> <p>The <code>aws_cdk.assertions</code> module is already part of <code>aws-cdk-lib</code> - no extra install required.</p> <hr> <h2 id="setup">Setup</h2> <p><code>cdk init</code> adds pytest to <code>requirements-dev.txt</code> automatically. Install it if not already active:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pip install -r requirements-dev.txt </span></span></code></pre></div><p>Create the test files:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>my-cdk-app/ </span></span><span style="display:flex;"><span>├── tests/ </span></span><span style="display:flex;"><span>│ ├── __init__.py </span></span><span style="display:flex;"><span>│ ├── test_file_processor.py </span></span><span style="display:flex;"><span>│ └── test_stack.py </span></span></code></pre></div><hr> <h2 id="testing-the-construct">Testing the construct</h2> <p>Each test builds a minimal stack, instantiates the construct inside it, and asserts against the synthesized template:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># tests/test_file_processor.py</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> pytest </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> App, Stack </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk.assertions <span style="color:#f92672">import</span> Template, Match </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> my_cdk_app.file_processor <span style="color:#f92672">import</span> FileProcessorConstruct </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TEST_PROPS <span style="color:#f92672">=</span> dict( </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;test-bucket&#34;</span>, </span></span><span style="display:flex;"><span> log_level<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;DEBUG&#34;</span>, </span></span><span style="display:flex;"><span> lambda_timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">30</span>, </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@pytest.fixture</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">template</span>(): </span></span><span style="display:flex;"><span> app <span style="color:#f92672">=</span> App() </span></span><span style="display:flex;"><span> stack <span style="color:#f92672">=</span> Stack(app, <span style="color:#e6db74">&#34;TestStack&#34;</span>) </span></span><span style="display:flex;"><span> FileProcessorConstruct(stack, <span style="color:#e6db74">&#34;TestConstruct&#34;</span>, <span style="color:#f92672">**</span>TEST_PROPS) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> Template<span style="color:#f92672">.</span>from_stack(stack) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">test_bucket_created</span>(template): </span></span><span style="display:flex;"><span> template<span style="color:#f92672">.</span>has_resource_properties(<span style="color:#e6db74">&#34;AWS::S3::Bucket&#34;</span>, { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;BucketName&#34;</span>: <span style="color:#e6db74">&#34;test-bucket&#34;</span> </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">test_lambda_runtime_and_timeout</span>(template): </span></span><span style="display:flex;"><span> template<span style="color:#f92672">.</span>has_resource_properties(<span style="color:#e6db74">&#34;AWS::Lambda::Function&#34;</span>, { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Runtime&#34;</span>: <span style="color:#e6db74">&#34;python3.12&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Timeout&#34;</span>: <span style="color:#ae81ff">30</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Environment&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Variables&#34;</span>: {<span style="color:#e6db74">&#34;LOG_LEVEL&#34;</span>: <span style="color:#e6db74">&#34;DEBUG&#34;</span>} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">test_lambda_has_read_access</span>(template): </span></span><span style="display:flex;"><span> template<span style="color:#f92672">.</span>has_resource_properties(<span style="color:#e6db74">&#34;AWS::IAM::Policy&#34;</span>, { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;PolicyDocument&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Statement&#34;</span>: Match<span style="color:#f92672">.</span>array_with([ </span></span><span style="display:flex;"><span> Match<span style="color:#f92672">.</span>object_like({ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Action&#34;</span>: Match<span style="color:#f92672">.</span>array_with([<span style="color:#e6db74">&#34;s3:GetObject*&#34;</span>]), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Effect&#34;</span>: <span style="color:#e6db74">&#34;Allow&#34;</span> </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> ]) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }) </span></span></code></pre></div><p><code>has_resource_properties</code> does a subset match - the resource only needs to contain the specified properties, not match them exactly. <code>Match.array_with</code> and <code>Match.object_like</code> apply the same subset logic to nested arrays and objects.</p> <hr> <h2 id="testing-the-stack">Testing the stack</h2> <p>Test <code>MyStack</code> the same way, using a config dict that matches what <code>app.py</code> passes:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># tests/test_stack.py</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> App </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk.assertions <span style="color:#f92672">import</span> Template </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> my_cdk_app.my_cdk_app_stack <span style="color:#f92672">import</span> MyStack </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TEST_CONFIG <span style="color:#f92672">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;bucket_name&#34;</span>: <span style="color:#e6db74">&#34;test-bucket&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;log_level&#34;</span>: <span style="color:#e6db74">&#34;INFO&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;lambda_timeout&#34;</span>: <span style="color:#ae81ff">60</span>, </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">test_stack_resource_count</span>(): </span></span><span style="display:flex;"><span> app <span style="color:#f92672">=</span> App() </span></span><span style="display:flex;"><span> stack <span style="color:#f92672">=</span> MyStack(app, <span style="color:#e6db74">&#34;TestStack&#34;</span>, config<span style="color:#f92672">=</span>TEST_CONFIG) </span></span><span style="display:flex;"><span> template <span style="color:#f92672">=</span> Template<span style="color:#f92672">.</span>from_stack(stack) </span></span><span style="display:flex;"><span> template<span style="color:#f92672">.</span>resource_count_is(<span style="color:#e6db74">&#34;AWS::S3::Bucket&#34;</span>, <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> template<span style="color:#f92672">.</span>resource_count_is(<span style="color:#e6db74">&#34;AWS::Lambda::Function&#34;</span>, <span style="color:#ae81ff">1</span>) </span></span></code></pre></div><hr> <h2 id="snapshot-testing">Snapshot testing</h2> <p>Snapshot tests capture the full synthesized template and fail if anything changes. Write the template to a file on first run, then compare on subsequent runs:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">import</span> json </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> pathlib <span style="color:#f92672">import</span> Path </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> App </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk.assertions <span style="color:#f92672">import</span> Template </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> my_cdk_app.my_cdk_app_stack <span style="color:#f92672">import</span> MyStack </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SNAPSHOT_PATH <span style="color:#f92672">=</span> Path(__file__)<span style="color:#f92672">.</span>parent <span style="color:#f92672">/</span> <span style="color:#e6db74">&#34;snapshots&#34;</span> <span style="color:#f92672">/</span> <span style="color:#e6db74">&#34;stack.json&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TEST_CONFIG <span style="color:#f92672">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;bucket_name&#34;</span>: <span style="color:#e6db74">&#34;test-bucket&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;log_level&#34;</span>: <span style="color:#e6db74">&#34;INFO&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;lambda_timeout&#34;</span>: <span style="color:#ae81ff">60</span>, </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">test_stack_snapshot</span>(): </span></span><span style="display:flex;"><span> app <span style="color:#f92672">=</span> App() </span></span><span style="display:flex;"><span> stack <span style="color:#f92672">=</span> MyStack(app, <span style="color:#e6db74">&#34;TestStack&#34;</span>, config<span style="color:#f92672">=</span>TEST_CONFIG) </span></span><span style="display:flex;"><span> template <span style="color:#f92672">=</span> Template<span style="color:#f92672">.</span>from_stack(stack)<span style="color:#f92672">.</span>to_json() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> SNAPSHOT_PATH<span style="color:#f92672">.</span>exists(): </span></span><span style="display:flex;"><span> SNAPSHOT_PATH<span style="color:#f92672">.</span>parent<span style="color:#f92672">.</span>mkdir(exist_ok<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>) </span></span><span style="display:flex;"><span> SNAPSHOT_PATH<span style="color:#f92672">.</span>write_text(json<span style="color:#f92672">.</span>dumps(template, indent<span style="color:#f92672">=</span><span style="color:#ae81ff">2</span>)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> expected <span style="color:#f92672">=</span> json<span style="color:#f92672">.</span>loads(SNAPSHOT_PATH<span style="color:#f92672">.</span>read_text()) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> template <span style="color:#f92672">==</span> expected </span></span></code></pre></div><p>Commit the snapshot file. To update it after an intentional change, delete the file and run the test once to regenerate.</p> <p>The downside: CDK version bumps routinely touch metadata in the template - <code>aws:cdk:path</code>, asset hashes, checksums. Any of these invalidates the snapshot even when nothing meaningful changed. They work well for catching unintended IAM or resource config changes, but generate noise as a general regression check.</p> <hr> <h2 id="running-tests">Running tests</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pytest </span></span><span style="display:flex;"><span>pytest -v <span style="color:#75715e"># verbose output</span> </span></span><span style="display:flex;"><span>pytest tests/test_file_processor.py <span style="color:#75715e"># single file</span> </span></span></code></pre></div><hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li><code>has_resource_properties</code> only checks the <code>Properties</code> block. To assert on the full resource including <code>DeletionPolicy</code>, <code>DependsOn</code>, or <code>Metadata</code>, use <code>has_resource</code> instead.</li> <li><code>Template.from_stack</code> calls <code>app.synth()</code> implicitly - no need to call it manually.</li> <li>CDK assigns logical IDs based on the construct path. Changing a construct&rsquo;s <code>id</code> argument changes its logical ID, which CloudFormation treats as a delete and recreate. Snapshot tests catch this; <code>has_resource_properties</code> tests do not.</li> <li>For TypeScript CDK projects, Jest has built-in snapshot support via <code>toMatchSnapshot()</code>. Python has no equivalent - the manual file approach above is the workaround.</li> </ol> </div> AWS CDK - Writing and Sharing Constructs https://bastabc.com/posts/aws-cdk-writing-constructs/ Sat, 14 Jun 2025 00:00:00 +0000 https://bastabc.com/posts/aws-cdk-writing-constructs/ <p>This is Chapter 3 of the <a href="https://bastabc.com/posts/aws-cdk-infrastructure-as-code/">Infrastructure as Code with AWS CDK</a> series. Chapters 1 and 2 put the S3 bucket and Lambda directly in <code>MyStack</code>. Both get extracted into a reusable construct here.</p> <hr> <h2 id="l1-l2-l3">L1, L2, L3</h2> <p>CDK organises constructs into three levels:</p> <ul> <li><strong>L1</strong> - raw CloudFormation resource wrappers, prefixed with <code>Cfn</code>. <code>CfnBucket</code>, <code>CfnFunction</code>. No defaults added - every property must be set explicitly.</li> <li><strong>L2</strong> - CDK&rsquo;s built-in higher-level constructs. <code>s3.Bucket</code>, <code>_lambda.Function</code>. These set sensible defaults, expose helper methods, and handle IAM via <code>grant_*</code> methods.</li> <li><strong>L3</strong> - composite constructs you write that bundle multiple resources into a single unit. The previous chapters used L2 constructs directly inside a stack. This chapter builds an L3.</li> </ul> <hr> <h2 id="the-problem">The problem</h2> <p>The current <code>MyStack</code> creates the bucket and Lambda directly:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> <span style="color:#a6e22e">MyStack</span>(Stack): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">__init__</span>(self, scope, id, config, <span style="color:#f92672">**</span>kwargs): </span></span><span style="display:flex;"><span> super()<span style="color:#f92672">.</span><span style="color:#a6e22e">__init__</span>(scope, id, <span style="color:#f92672">**</span>kwargs) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> bucket <span style="color:#f92672">=</span> s3<span style="color:#f92672">.</span>Bucket(self, <span style="color:#e6db74">&#34;FilesBucket&#34;</span>, </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;bucket_name&#34;</span>] </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> fn <span style="color:#f92672">=</span> _lambda<span style="color:#f92672">.</span>Function(self, <span style="color:#e6db74">&#34;ProcessorFunction&#34;</span>, </span></span><span style="display:flex;"><span> runtime<span style="color:#f92672">=</span>_lambda<span style="color:#f92672">.</span>Runtime<span style="color:#f92672">.</span>PYTHON_3_12, </span></span><span style="display:flex;"><span> handler<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;handler.handler&#34;</span>, </span></span><span style="display:flex;"><span> code<span style="color:#f92672">=</span>_lambda<span style="color:#f92672">.</span>Code<span style="color:#f92672">.</span>from_asset(<span style="color:#e6db74">&#34;lambda&#34;</span>), </span></span><span style="display:flex;"><span> timeout<span style="color:#f92672">=</span>Duration<span style="color:#f92672">.</span>seconds(config[<span style="color:#e6db74">&#34;lambda_timeout&#34;</span>]), </span></span><span style="display:flex;"><span> environment<span style="color:#f92672">=</span>{<span style="color:#e6db74">&#34;LOG_LEVEL&#34;</span>: config[<span style="color:#e6db74">&#34;log_level&#34;</span>]} </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> bucket<span style="color:#f92672">.</span>grant_read(fn) </span></span></code></pre></div><p>If you need a second processor - say one for raw uploads and one for processed files - all of this gets duplicated. That&rsquo;s what a construct solves.</p> <hr> <h2 id="writing-the-construct">Writing the construct</h2> <p>Add <code>file_processor.py</code> inside the existing app module:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>my-cdk-app/ </span></span><span style="display:flex;"><span>├── app.py </span></span><span style="display:flex;"><span>├── my_cdk_app/ </span></span><span style="display:flex;"><span>│ ├── __init__.py </span></span><span style="display:flex;"><span>│ ├── my_cdk_app_stack.py </span></span><span style="display:flex;"><span>│ └── file_processor.py ← new </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># my_cdk_app/file_processor.py</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> ( </span></span><span style="display:flex;"><span> Duration, </span></span><span style="display:flex;"><span> aws_s3 <span style="color:#66d9ef">as</span> s3, </span></span><span style="display:flex;"><span> aws_lambda <span style="color:#66d9ef">as</span> _lambda, </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> constructs <span style="color:#f92672">import</span> Construct </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">class</span> <span style="color:#a6e22e">FileProcessorConstruct</span>(Construct): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">__init__</span>( </span></span><span style="display:flex;"><span> self, </span></span><span style="display:flex;"><span> scope: Construct, </span></span><span style="display:flex;"><span> id: str, </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>, </span></span><span style="display:flex;"><span> bucket_name: str, </span></span><span style="display:flex;"><span> log_level: str, </span></span><span style="display:flex;"><span> lambda_timeout: int, </span></span><span style="display:flex;"><span> ): </span></span><span style="display:flex;"><span> super()<span style="color:#f92672">.</span><span style="color:#a6e22e">__init__</span>(scope, id) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> self<span style="color:#f92672">.</span>bucket <span style="color:#f92672">=</span> s3<span style="color:#f92672">.</span>Bucket(self, <span style="color:#e6db74">&#34;Bucket&#34;</span>, </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span>bucket_name </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> self<span style="color:#f92672">.</span>fn <span style="color:#f92672">=</span> _lambda<span style="color:#f92672">.</span>Function(self, <span style="color:#e6db74">&#34;Function&#34;</span>, </span></span><span style="display:flex;"><span> runtime<span style="color:#f92672">=</span>_lambda<span style="color:#f92672">.</span>Runtime<span style="color:#f92672">.</span>PYTHON_3_12, </span></span><span style="display:flex;"><span> handler<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;handler.handler&#34;</span>, </span></span><span style="display:flex;"><span> code<span style="color:#f92672">=</span>_lambda<span style="color:#f92672">.</span>Code<span style="color:#f92672">.</span>from_asset(<span style="color:#e6db74">&#34;lambda&#34;</span>), </span></span><span style="display:flex;"><span> timeout<span style="color:#f92672">=</span>Duration<span style="color:#f92672">.</span>seconds(lambda_timeout), </span></span><span style="display:flex;"><span> environment<span style="color:#f92672">=</span>{<span style="color:#e6db74">&#34;LOG_LEVEL&#34;</span>: log_level} </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> self<span style="color:#f92672">.</span>bucket<span style="color:#f92672">.</span>grant_read(self<span style="color:#f92672">.</span>fn) </span></span></code></pre></div><p>The <code>*</code> before the keyword arguments makes them keyword-only - callers must pass them by name, not by position. <code>self.bucket</code> and <code>self.fn</code> are public so callers can reach in and extend if needed.</p> <hr> <h2 id="using-it-in-a-stack">Using it in a stack</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># my_cdk_app/my_cdk_app_stack.py</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> Stack </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> constructs <span style="color:#f92672">import</span> Construct </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> my_cdk_app.file_processor <span style="color:#f92672">import</span> FileProcessorConstruct </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">class</span> <span style="color:#a6e22e">MyStack</span>(Stack): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">__init__</span>(self, scope: Construct, id: str, config: dict, <span style="color:#f92672">**</span>kwargs): </span></span><span style="display:flex;"><span> super()<span style="color:#f92672">.</span><span style="color:#a6e22e">__init__</span>(scope, id, <span style="color:#f92672">**</span>kwargs) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> FileProcessorConstruct(self, <span style="color:#e6db74">&#34;FileProcessor&#34;</span>, </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;bucket_name&#34;</span>], </span></span><span style="display:flex;"><span> log_level<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;log_level&#34;</span>], </span></span><span style="display:flex;"><span> lambda_timeout<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;lambda_timeout&#34;</span>] </span></span><span style="display:flex;"><span> ) </span></span></code></pre></div><hr> <h2 id="reusing-the-construct">Reusing the construct</h2> <p>Two processors in the same stack, no duplication:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> <span style="color:#a6e22e">MyStack</span>(Stack): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">__init__</span>(self, scope: Construct, id: str, config: dict, <span style="color:#f92672">**</span>kwargs): </span></span><span style="display:flex;"><span> super()<span style="color:#f92672">.</span><span style="color:#a6e22e">__init__</span>(scope, id, <span style="color:#f92672">**</span>kwargs) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> FileProcessorConstruct(self, <span style="color:#e6db74">&#34;RawProcessor&#34;</span>, </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span><span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">{</span>config[<span style="color:#e6db74">&#39;bucket_name&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">-raw&#34;</span>, </span></span><span style="display:flex;"><span> log_level<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;log_level&#34;</span>], </span></span><span style="display:flex;"><span> lambda_timeout<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;lambda_timeout&#34;</span>] </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> FileProcessorConstruct(self, <span style="color:#e6db74">&#34;ProcessedProcessor&#34;</span>, </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span><span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;</span><span style="color:#e6db74">{</span>config[<span style="color:#e6db74">&#39;bucket_name&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">-processed&#34;</span>, </span></span><span style="display:flex;"><span> log_level<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;log_level&#34;</span>], </span></span><span style="display:flex;"><span> lambda_timeout<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;lambda_timeout&#34;</span>] </span></span><span style="display:flex;"><span> ) </span></span></code></pre></div><p>CDK uses the <code>id</code> argument (<code>RawProcessor</code>, <code>ProcessedProcessor</code>) to make all resource logical IDs unique within the stack. Both constructs deploy without naming conflicts.</p> <hr> <h2 id="using-exposed-attributes">Using exposed attributes</h2> <p>Use <code>self.bucket</code> and <code>self.fn</code> when something needs to be added at the call site:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>processor <span style="color:#f92672">=</span> FileProcessorConstruct(self, <span style="color:#e6db74">&#34;FileProcessor&#34;</span>, </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;bucket_name&#34;</span>], </span></span><span style="display:flex;"><span> log_level<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;log_level&#34;</span>], </span></span><span style="display:flex;"><span> lambda_timeout<span style="color:#f92672">=</span>config[<span style="color:#e6db74">&#34;lambda_timeout&#34;</span>] </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Grant a second function read access to the same bucket</span> </span></span><span style="display:flex;"><span>processor<span style="color:#f92672">.</span>bucket<span style="color:#f92672">.</span>grant_read(reporting_fn) </span></span></code></pre></div><p>If it&rsquo;s specific to one stack, keep it there rather than baking it into the construct.</p> <hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li>Do not name the constructs directory <code>constructs/</code> - it conflicts with the CDK <code>constructs</code> package import. Putting files inside the app module (<code>my_cdk_app/</code>) sidesteps this entirely.</li> <li>The <code>*</code> in the <code>__init__</code> signature enforces keyword arguments. Without it, callers can pass values positionally, which gets confusing with three or more parameters.</li> <li><code>self.bucket</code> and <code>self.fn</code> being public is a choice. If the construct is fully self-contained and callers should never reach in, keep them private with a leading underscore (<code>self._bucket</code>).</li> <li>To use a construct across multiple CDK projects, move it into a standalone Python package and install it as a dependency. Cross-language support (TypeScript, Java) requires <code>jsii</code> - a separate topic.</li> </ol> </div> AWS CDK - Managing Configuration and Context https://bastabc.com/posts/aws-cdk-managing-configuration-and-context/ Wed, 28 May 2025 00:00:00 +0000 https://bastabc.com/posts/aws-cdk-managing-configuration-and-context/ <p>This is Chapter 2 of the <a href="https://bastabc.com/posts/aws-cdk-infrastructure-as-code/">Infrastructure as Code with AWS CDK</a> series. Four approaches to environment-specific configuration in CDK stacks - same use case throughout so the trade-offs sit side by side.</p> <p><strong>Use case</strong>: An S3 bucket and Lambda function where bucket name, log level, and Lambda timeout vary per environment (dev, staging, prod).</p> <hr> <h2 id="quick-comparison">Quick comparison</h2> <table> <thead> <tr> <th>Approach</th> <th>Version controlled</th> <th>Supports secrets</th> <th>Change without redeploy</th> <th>Shared across stacks</th> </tr> </thead> <tbody> <tr> <td>Static config (<code>cdk.json</code>)</td> <td>Yes</td> <td>No</td> <td>No</td> <td>No</td> </tr> <tr> <td>Dynamic config</td> <td>No</td> <td>Partial</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Secrets Manager</td> <td>No</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>CI/CD context injection</td> <td>No</td> <td>No</td> <td>Yes</td> <td>No</td> </tr> </tbody> </table> <hr> <h2 id="local-dev-patterns">Local dev patterns</h2> <p>Suitable for personal projects or local development. Neither is a good fit for CI/CD pipelines or shared team environments.</p> <h3 id="static-config-cdkjson">Static config (<code>cdk.json</code>)</h3> <p>Store environment-specific config in <code>cdk.json</code> under the <code>context</code> key. CDK reads this file automatically at synth time.</p> <p><strong>When to use</strong>: Stable, non-sensitive values that are the same for everyone on the team.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;app&#34;</span>: <span style="color:#e6db74">&#34;python3 app.py&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;context&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dev&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;bucket_name&#34;</span>: <span style="color:#e6db74">&#34;my-bucket-dev&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;log_level&#34;</span>: <span style="color:#e6db74">&#34;DEBUG&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lambda_timeout&#34;</span>: <span style="color:#ae81ff">30</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;prod&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;bucket_name&#34;</span>: <span style="color:#e6db74">&#34;my-bucket-prod&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;log_level&#34;</span>: <span style="color:#e6db74">&#34;INFO&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lambda_timeout&#34;</span>: <span style="color:#ae81ff">60</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Read context in <code>app.py</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>app <span style="color:#f92672">=</span> cdk<span style="color:#f92672">.</span>App() </span></span><span style="display:flex;"><span>env_name <span style="color:#f92672">=</span> app<span style="color:#f92672">.</span>node<span style="color:#f92672">.</span>try_get_context(<span style="color:#e6db74">&#34;env&#34;</span>) <span style="color:#f92672">or</span> <span style="color:#e6db74">&#34;dev&#34;</span> </span></span><span style="display:flex;"><span>config <span style="color:#f92672">=</span> app<span style="color:#f92672">.</span>node<span style="color:#f92672">.</span>try_get_context(env_name) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>MyStack(app, <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;MyStack-</span><span style="color:#e6db74">{</span>env_name<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>, config<span style="color:#f92672">=</span>config) </span></span></code></pre></div><p>Deploy with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cdk deploy -c env<span style="color:#f92672">=</span>dev </span></span><span style="display:flex;"><span>cdk deploy -c env<span style="color:#f92672">=</span>prod </span></span></code></pre></div><p><strong>Trade-off</strong>: Any config change requires a commit and redeploy. Never put secrets here - <code>cdk.json</code> is committed to source control.</p> <hr> <h3 id="dynamic-config">Dynamic config</h3> <p>Load config at synth time from a local file or environment variables, outside the CDK project. Useful when values differ per developer or machine.</p> <p><strong>When to use</strong>: Values that differ between developers - e.g. personal AWS account IDs, local endpoint overrides.</p> <p>Create a <code>config.dev.json</code> outside source control:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;bucket_name&#34;</span>: <span style="color:#e6db74">&#34;my-bucket-dev&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;log_level&#34;</span>: <span style="color:#e6db74">&#34;DEBUG&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lambda_timeout&#34;</span>: <span style="color:#ae81ff">30</span> </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Load it in <code>app.py</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">import</span> json </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> os </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app <span style="color:#f92672">=</span> cdk<span style="color:#f92672">.</span>App() </span></span><span style="display:flex;"><span>env_name <span style="color:#f92672">=</span> os<span style="color:#f92672">.</span>environ<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#34;ENV&#34;</span>, <span style="color:#e6db74">&#34;dev&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">with</span> open(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;config.</span><span style="color:#e6db74">{</span>env_name<span style="color:#e6db74">}</span><span style="color:#e6db74">.json&#34;</span>) <span style="color:#66d9ef">as</span> f: </span></span><span style="display:flex;"><span> config <span style="color:#f92672">=</span> json<span style="color:#f92672">.</span>load(f) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>MyStack(app, <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;MyStack-</span><span style="color:#e6db74">{</span>env_name<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>, config<span style="color:#f92672">=</span>config) </span></span></code></pre></div><p>Add config files to <code>.gitignore</code>:</p> <pre tabindex="0"><code>config.*.json </code></pre><p>Deploy with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ENV<span style="color:#f92672">=</span>dev cdk deploy </span></span><span style="display:flex;"><span>ENV<span style="color:#f92672">=</span>prod cdk deploy </span></span></code></pre></div><p><strong>Trade-off</strong>: Config lives outside source control - harder to audit and reproduce. Not suitable for team environments where config needs to be consistent.</p> <hr> <h2 id="production-patterns">Production patterns</h2> <p>Config lives in AWS or is injected by the pipeline - not in the codebase. Values can change without a code commit.</p> <h3 id="secrets-manager">Secrets Manager</h3> <p>Store sensitive config in Secrets Manager. Values are fetched at deploy time and injected into the Lambda environment - they are never visible in the CloudFormation template.</p> <p><strong>When to use</strong>: API keys, database passwords, tokens. Secrets should never go in <code>cdk.json</code> or plain environment variables.</p> <p>Create a secret (run once per environment):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws secretsmanager create-secret <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name <span style="color:#e6db74">&#34;/my-app/dev/config&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --secret-string <span style="color:#e6db74">&#39;{&#34;api_key&#34;:&#34;abc123&#34;,&#34;db_password&#34;:&#34;s3cr3t&#34;}&#39;</span> </span></span></code></pre></div><p>Reference the secret in the stack:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> aws_secretsmanager <span style="color:#66d9ef">as</span> secretsmanager </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">class</span> <span style="color:#a6e22e">MyStack</span>(Stack): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">__init__</span>(self, scope, id, env_name, <span style="color:#f92672">**</span>kwargs): </span></span><span style="display:flex;"><span> super()<span style="color:#f92672">.</span><span style="color:#a6e22e">__init__</span>(scope, id, <span style="color:#f92672">**</span>kwargs) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> secret <span style="color:#f92672">=</span> secretsmanager<span style="color:#f92672">.</span>Secret<span style="color:#f92672">.</span>from_secret_name_v2( </span></span><span style="display:flex;"><span> self, <span style="color:#e6db74">&#34;AppSecret&#34;</span>, <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;/my-app/</span><span style="color:#e6db74">{</span>env_name<span style="color:#e6db74">}</span><span style="color:#e6db74">/config&#34;</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> fn <span style="color:#f92672">=</span> _lambda<span style="color:#f92672">.</span>Function(self, <span style="color:#e6db74">&#34;MyFunction&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span> environment<span style="color:#f92672">=</span>{ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;SECRET_ARN&#34;</span>: secret<span style="color:#f92672">.</span>secret_arn </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> secret<span style="color:#f92672">.</span>grant_read(fn) </span></span></code></pre></div><p>The Lambda reads the secret at runtime using the ARN:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">import</span> boto3<span style="color:#f92672">,</span> json<span style="color:#f92672">,</span> os </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">handler</span>(event, context): </span></span><span style="display:flex;"><span> client <span style="color:#f92672">=</span> boto3<span style="color:#f92672">.</span>client(<span style="color:#e6db74">&#34;secretsmanager&#34;</span>) </span></span><span style="display:flex;"><span> secret <span style="color:#f92672">=</span> json<span style="color:#f92672">.</span>loads(client<span style="color:#f92672">.</span>get_secret_value( </span></span><span style="display:flex;"><span> SecretId<span style="color:#f92672">=</span>os<span style="color:#f92672">.</span>environ[<span style="color:#e6db74">&#34;SECRET_ARN&#34;</span>] </span></span><span style="display:flex;"><span> )[<span style="color:#e6db74">&#34;SecretString&#34;</span>]) </span></span><span style="display:flex;"><span> api_key <span style="color:#f92672">=</span> secret[<span style="color:#e6db74">&#34;api_key&#34;</span>] </span></span></code></pre></div><p><strong>Trade-off</strong>: Cost per secret per month. Values are only available at runtime, not synth time. Rotation adds operational overhead but is worth setting up for credentials.</p> <p>For non-sensitive shared config that needs to change without a code commit - bucket names, log levels, timeouts - SSM Parameter Store is an alternative. Parameters are fetched at synth time via <code>value_from_lookup</code> and cached in <code>cdk.context.json</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> aws_ssm <span style="color:#66d9ef">as</span> ssm </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>bucket_name <span style="color:#f92672">=</span> ssm<span style="color:#f92672">.</span>StringParameter<span style="color:#f92672">.</span>value_from_lookup( </span></span><span style="display:flex;"><span> self, <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;/my-app/</span><span style="color:#e6db74">{</span>env_name<span style="color:#e6db74">}</span><span style="color:#e6db74">/bucket_name&#34;</span> </span></span><span style="display:flex;"><span>) </span></span></code></pre></div><p>Commit <code>cdk.context.json</code> so CI doesn&rsquo;t need live SSM access on every run. SSM has no secrets support - keep anything sensitive in Secrets Manager.</p> <hr> <h3 id="cicd-context-injection">CI/CD context injection</h3> <p>Pass values into the stack directly from the pipeline via CDK context flags. The stack reads them at synth time - no external config files or AWS lookups required.</p> <p><strong>When to use</strong>: Values that are known to the pipeline at deploy time - environment name, account ID, deploy target region, feature flags. Works well when the pipeline is the source of truth for what gets deployed where.</p> <p>The stack reads context with <code>try_get_context</code> and uses <code>Stack.of(self).account</code> for the resolved AWS account:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> aws_cdk <span style="color:#f92672">import</span> Stack </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> constructs <span style="color:#f92672">import</span> Construct </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">class</span> <span style="color:#a6e22e">MyStack</span>(Stack): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">__init__</span>(self, scope: Construct, id: str, <span style="color:#f92672">**</span>kwargs): </span></span><span style="display:flex;"><span> super()<span style="color:#f92672">.</span><span style="color:#a6e22e">__init__</span>(scope, id, <span style="color:#f92672">**</span>kwargs) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> env_name <span style="color:#f92672">=</span> self<span style="color:#f92672">.</span>node<span style="color:#f92672">.</span>try_get_context(<span style="color:#e6db74">&#34;env&#34;</span>) </span></span><span style="display:flex;"><span> profile <span style="color:#f92672">=</span> self<span style="color:#f92672">.</span>node<span style="color:#f92672">.</span>try_get_context(<span style="color:#e6db74">&#34;profile&#34;</span>) </span></span><span style="display:flex;"><span> account_id <span style="color:#f92672">=</span> Stack<span style="color:#f92672">.</span>of(self)<span style="color:#f92672">.</span>account </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> bucket <span style="color:#f92672">=</span> s3<span style="color:#f92672">.</span>Bucket(self, <span style="color:#e6db74">&#34;FilesBucket&#34;</span>, </span></span><span style="display:flex;"><span> bucket_name<span style="color:#f92672">=</span><span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;my-bucket-</span><span style="color:#e6db74">{</span>env_name<span style="color:#e6db74">}</span><span style="color:#e6db74">-</span><span style="color:#e6db74">{</span>account_id<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> ) </span></span></code></pre></div><p>The pipeline passes context at deploy time:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># GitHub Actions, CodePipeline, or any CI runner</span> </span></span><span style="display:flex;"><span>cdk deploy -c env<span style="color:#f92672">=</span>prod -c profile<span style="color:#f92672">=</span>my-prod </span></span></code></pre></div><p>A GitHub Actions step looks like:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Deploy</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">run</span>: <span style="color:#ae81ff">cdk deploy --require-approval never -c env=prod -c profile=my-prod</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">env</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_ACCESS_KEY_ID</span>: <span style="color:#ae81ff">${{ secrets.AWS_ACCESS_KEY_ID }}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">AWS_SECRET_ACCESS_KEY</span>: <span style="color:#ae81ff">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> </span></span></code></pre></div><p><code>try_get_context</code> returns <code>None</code> if the key is not passed. Add a guard if the value is required:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>env_name <span style="color:#f92672">=</span> self<span style="color:#f92672">.</span>node<span style="color:#f92672">.</span>try_get_context(<span style="color:#e6db74">&#34;env&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> env_name: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">ValueError</span>(<span style="color:#e6db74">&#34;env context is required - pass with -c env=&lt;name&gt;&#34;</span>) </span></span></code></pre></div><p><strong>Trade-off</strong>: Context values are visible in the pipeline logs and the synthesized CloudFormation template. Keep secrets in <a href="#secrets-manager">Secrets Manager</a> and pass only non-sensitive identifiers this way.</p> <hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li>These approaches combine well - SSM for non-sensitive shared config, Secrets Manager for secrets, CI/CD context injection for environment identifiers.</li> <li>Secrets Manager values are never embedded in CloudFormation templates - they are resolved at runtime by the Lambda itself.</li> <li>On Windows with PowerShell, set the env var with <code>$env:ENV=&quot;dev&quot;; cdk deploy</code> instead of the bash syntax.</li> </ol> </div> AWS CDK - Project Setup and Bootstrapping https://bastabc.com/posts/aws-cdk-project-setup-and-bootstrapping/ Sun, 11 May 2025 00:00:00 +0000 https://bastabc.com/posts/aws-cdk-project-setup-and-bootstrapping/ <p>This is Chapter 1 of the <a href="https://bastabc.com/posts/aws-cdk-infrastructure-as-code/">Infrastructure as Code with AWS CDK</a> series. Two things come before writing any stack code: initialising the CDK project and bootstrapping the AWS account.</p> <hr> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Python 3.9+</li> <li>Node.js 18+ (CDK CLI is a Node package)</li> <li>AWS CLI v2 configured with valid credentials - see <a href="https://bastabc.com/posts/connect-to-aws-sso-ssh-into-ec2-instance/">Connect to AWS SSO and SSH into EC2 Instance</a></li> <li>An AWS account with permissions to create IAM roles, S3 buckets, and CloudFormation stacks</li> </ul> <p>Install the CDK CLI globally:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>npm install -g aws-cdk </span></span><span style="display:flex;"><span>cdk --version </span></span></code></pre></div><hr> <h2 id="initialise-project">Initialise project</h2> <p>Create a new directory and initialise a CDK Python project inside it:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir my-cdk-app <span style="color:#f92672">&amp;&amp;</span> cd my-cdk-app </span></span><span style="display:flex;"><span>cdk init app --language python </span></span></code></pre></div><p>This scaffolds the project with a virtual environment, a sample stack, and a <code>cdk.json</code> config file.</p> <p>Activate the virtual environment and install dependencies:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># macOS / Linux</span> </span></span><span style="display:flex;"><span>source .venv/bin/activate </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Windows (PowerShell)</span> </span></span><span style="display:flex;"><span>.venv<span style="color:#ae81ff">\S</span>cripts<span style="color:#ae81ff">\a</span>ctivate.ps1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>pip install -r requirements.txt </span></span></code></pre></div><hr> <h2 id="directory-structure">Directory structure</h2> <p>After initialisation the project looks like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>my-cdk-app/ </span></span><span style="display:flex;"><span>├── app.py # CDK app entry point </span></span><span style="display:flex;"><span>├── cdk.json # CDK config and context </span></span><span style="display:flex;"><span>├── requirements.txt # Python dependencies </span></span><span style="display:flex;"><span>├── requirements-dev.txt # Dev dependencies (e.g. pytest) </span></span><span style="display:flex;"><span>├── .venv/ # Python virtual environment </span></span><span style="display:flex;"><span>└── my_cdk_app/ </span></span><span style="display:flex;"><span> ├── __init__.py </span></span><span style="display:flex;"><span> └── my_cdk_app_stack.py # Default stack </span></span></code></pre></div><p><code>app.py</code> is where the CDK app is defined and stacks are instantiated. <code>my_cdk_app_stack.py</code> is where resources are defined. The folder and class names match the project name passed to <code>cdk init</code>.</p> <hr> <h2 id="bootstrap-aws-account">Bootstrap AWS account</h2> <p>CDK needs a one-time setup in each AWS account and region it deploys to. Bootstrapping creates an S3 bucket (for assets) and IAM roles (for deployments) in the account:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cdk bootstrap aws://123456789012/us-east-1 </span></span></code></pre></div><p>Replace <code>123456789012</code> with your account ID and <code>us-east-1</code> with your target region. If credentials are already configured via AWS CLI or SSO, the account ID can be omitted:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cdk bootstrap </span></span></code></pre></div><p>This only needs to run once per account/region combination. Re-running it is safe - it updates the bootstrap stack if needed.</p> <hr> <h2 id="synth-and-deploy">Synth and deploy</h2> <p>CDK compiles Python into CloudFormation before deploying. Run <code>synth</code> to see the generated CloudFormation template:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cdk synth </span></span></code></pre></div><p>This outputs a CloudFormation template to <code>cdk.out/</code>. Use it to verify what CDK will create before deploying.</p> <p>Deploy the stack:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cdk deploy </span></span></code></pre></div><p>CDK shows a diff of changes and prompts for confirmation before creating or modifying any IAM resources.</p> <hr> <h2 id="verify">Verify</h2> <p>After deploying, the stack appears in CloudFormation in the AWS console. Check:</p> <ul> <li>CloudFormation &gt; Stacks &gt; <code>MyCdkAppStack</code> - status should be <code>CREATE_COMPLETE</code></li> <li>S3 &gt; Buckets - the CDK bootstrap bucket should be visible (<code>cdk-hnb659fds-assets-...</code>)</li> </ul> <p>To tear down the stack:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cdk destroy </span></span></code></pre></div><hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li>The bootstrap stack itself is a CloudFormation stack - it can be viewed and managed in the console under <code>CDKToolkit</code>.</li> <li>Each AWS account + region combination needs its own bootstrap - e.g. deploying to both <code>us-east-1</code> and <code>ap-southeast-2</code> requires bootstrapping both.</li> <li><code>cdk synth</code> is useful for debugging - the generated CloudFormation is in <code>cdk.out/</code> and can be inspected directly.</li> <li>The <code>.venv/</code> folder and <code>cdk.out/</code> should be in <code>.gitignore</code> - they are added automatically by <code>cdk init</code>.</li> </ol> </div> Install CloudWatch agent in EC2 Instance https://bastabc.com/posts/install-cloudwatch-agent-in-ec2/ Thu, 03 Apr 2025 00:00:00 +0000 https://bastabc.com/posts/install-cloudwatch-agent-in-ec2/ <p>EC2 does not send memory or disk metrics to CloudWatch by default - only CPU, network and status checks. The CloudWatch agent runs inside the instance and collects system-level metrics and logs directly.</p> <hr> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>EC2 instance running (Amazon Linux 2 or Ubuntu)</li> <li>SSH access to the instance - see <a href="https://bastabc.com/posts/connect-to-aws-sso-ssh-into-ec2-instance/">Connect to AWS SSO and SSH into EC2 Instance</a></li> <li>Terminal</li> </ul> <hr> <h2 id="attach-iam-role-to-the-instance">Attach IAM role to the instance</h2> <p>The agent needs permission to write metrics and logs to CloudWatch. In the AWS console:</p> <ol> <li>EC2 &gt; Instances &gt; select your instance</li> <li>Actions &gt; Security &gt; Modify IAM role</li> <li>Attach a role that has <code>CloudWatchAgentServerPolicy</code> managed policy</li> </ol> <p>If no such role exists, create one:</p> <ol> <li>IAM &gt; Roles &gt; Create role</li> <li>Trusted entity: AWS service &gt; EC2</li> <li>Add permission: <code>CloudWatchAgentServerPolicy</code></li> <li>Name it (e.g. <code>ec2-cloudwatch-agent-role</code>) and create</li> </ol> <hr> <h2 id="install-the-agent">Install the agent</h2> <p>SSH into the instance, then run the appropriate command for your OS.</p> <p><strong>Amazon Linux 2:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo yum install -y amazon-cloudwatch-agent </span></span></code></pre></div><p><strong>Ubuntu:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt-get install -y amazon-cloudwatch-agent </span></span></code></pre></div><hr> <h2 id="configure-the-agent">Configure the agent</h2> <p>Run the configuration wizard - it steps through metrics and log collection interactively:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard </span></span></code></pre></div><p>Alternatively, create a config file manually at <code>/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;agent&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;metrics_collection_interval&#34;</span>: <span style="color:#ae81ff">60</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;run_as_user&#34;</span>: <span style="color:#e6db74">&#34;root&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;metrics&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;namespace&#34;</span>: <span style="color:#e6db74">&#34;CWAgent&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;metrics_collected&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;mem&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;measurement&#34;</span>: [<span style="color:#e6db74">&#34;mem_used_percent&#34;</span>] </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;disk&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;measurement&#34;</span>: [<span style="color:#e6db74">&#34;disk_used_percent&#34;</span>], </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;resources&#34;</span>: [<span style="color:#e6db74">&#34;/&#34;</span>] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Collects memory and disk usage every 60 seconds under the <code>CWAgent</code> namespace.</p> <hr> <h2 id="start-the-agent">Start the agent</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -a fetch-config <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -m ec2 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -s </span></span></code></pre></div><hr> <h2 id="verify">Verify</h2> <p>Check the agent is running:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status </span></span></code></pre></div><p>Expected output:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;status&#34;</span>: <span style="color:#e6db74">&#34;running&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;starttime&#34;</span>: <span style="color:#e6db74">&#34;...&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;version&#34;</span>: <span style="color:#e6db74">&#34;...&#34;</span> </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>In the AWS console, go to CloudWatch &gt; Metrics &gt; All metrics &gt; CWAgent to confirm metrics are coming in. Give it 2-3 minutes after starting for metrics to show up.</p> <hr> <h2 id="notes">Notes</h2> <div class="callout callout-aws4"> <ol> <li>If the instance had no IAM role before, restart the agent after attaching the role - it picks up credentials on start.</li> <li>The wizard config is saved to <code>/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json</code> by default.</li> <li>To collect logs, add a <code>logs</code> block to the config pointing to the log file paths.</li> <li>Agent logs are at <code>/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log</code> - check here if metrics are not appearing.</li> </ol> </div> Connect to AWS SSO and SSH into EC2 Instance https://bastabc.com/posts/connect-to-aws-sso-ssh-into-ec2-instance/ Mon, 17 Mar 2025 00:00:00 +0000 https://bastabc.com/posts/connect-to-aws-sso-ssh-into-ec2-instance/ <p>Two paths depending on your setup - follow one:</p> <ul> <li><strong>Without SSO</strong>: personal AWS account, direct IAM credentials</li> <li><strong>With SSO</strong>: enterprise/team setup with an SSO start URL (e.g. <code>https://company.awsapps.com/start</code>)</li> </ul> <hr> <h2 id="prerequisites">Prerequisites</h2> <p>Without SSO:</p> <ul> <li>AWS CLI v2</li> <li>AWS IAM user credentials (Access Key ID and Secret Access Key)</li> <li>Terminal</li> </ul> <p>With SSO:</p> <ul> <li>AWS CLI v2</li> <li>AWS SSO start URL and access</li> <li>Terminal</li> </ul> <hr> <h2 id="files-you-will-need">Files you will need</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>~/ </span></span><span style="display:flex;"><span>├── .aws/ </span></span><span style="display:flex;"><span>│ ├── config </span></span><span style="display:flex;"><span>│ └── credentials </span></span><span style="display:flex;"><span>└── .ssh/ </span></span><span style="display:flex;"><span> ├── ec2-key.pem </span></span><span style="display:flex;"><span> └── config </span></span></code></pre></div><hr> <h2 id="path-a-without-sso">Path A: Without SSO</h2> <p>Create <code>.aws</code> folder if it doesn&rsquo;t exist. Run from your home directory (<code>~</code>).</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir -p ~/.aws </span></span></code></pre></div><p>Create <code>~/.aws/credentials</code>.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#66d9ef">[default]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">aws_access_key_id</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">YOUR_ACCESS_KEY_ID</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">aws_secret_access_key</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">YOUR_SECRET_ACCESS_KEY</span> </span></span></code></pre></div><p>Create <code>~/.aws/config</code>.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#66d9ef">[default]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">region</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">ap-southeast-2</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">output</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">json</span> </span></span></code></pre></div><p>Test your config.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws sts get-caller-identity </span></span></code></pre></div><hr> <h2 id="path-b-with-sso">Path B: With SSO</h2> <p>Add a profile block to <code>~/.aws/config</code> for each environment (e.g. <code>aws-dev</code>, <code>aws-prod</code>):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#66d9ef">[profile aws-prod]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sso_session</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">aws-prod</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sso_account_id</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">123456789123</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sso_role_name</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">aws-prod-SystemAdmin</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">region</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">ap-southeast-4</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">output</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">json</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">credential_process</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">aws configure export-credentials --profile aws-prod</span> </span></span></code></pre></div><p>Sample <code>.aws</code> folder structure: <img loading="lazy" src="sso.png" alt="aws-folder" /> </p> <hr> <h2 id="setup-ssh-config">Setup SSH config</h2> <p>Download the <code>.pem</code> keypair when launching the EC2 instance and move it here.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir -p ~/.ssh </span></span><span style="display:flex;"><span>mv ~/Downloads/ec2-prod.pem ~/.ssh/ec2-prod.pem </span></span><span style="display:flex;"><span>chmod <span style="color:#ae81ff">400</span> ~/.ssh/ec2-prod.pem </span></span></code></pre></div><p><strong>Basic SSH config (no SSO)</strong></p> <p>Add to <code>~/.ssh/config</code>:</p> <pre tabindex="0"><code>Host ec2-prod HostName 1.2.3.4 # Replace with your EC2&#39;s public IP User ec2-user # Use &#39;ubuntu&#39; for Ubuntu instances IdentityFile ~/.ssh/ec2-prod.pem </code></pre><p><strong>SSO ProxyCommand config</strong></p> <p>Use this if connecting via AWS SSM Session Manager with an SSO profile. Add to <code>~/.ssh/config</code> (or a separate file under <code>~/.ssh/config.d/</code>):</p> <pre tabindex="0"><code>Host ec2-prod User ec2-user IdentityFile ~/.ssh/ec2-prod.pem ProxyCommand aws ssm start-session --target i-01xyz7659824a123q --profile aws-prod --document-name AWS-StartSSHSession --parameters portNumber=22 </code></pre><p>Sample <code>.ssh</code> folder structure: <img loading="lazy" src="ssh.png" alt="ssh-folder" /> </p> <hr> <h2 id="connect">Connect</h2> <p>If using SSO, log in first:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws sso login --profile aws-prod </span></span></code></pre></div><p>Then SSH in:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ssh ec2-prod </span></span></code></pre></div><p><img loading="lazy" src="ec2.png" alt="ec2-connect" /> </p>