Using the AWS CDK and SDK to manage our cloud infrastructure across teams

What is AWS CDK?

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework for defining cloud application resources and infrastructure as code (IaC) using familiar programming languages. The AWS CDK supports TypeScript, JavaScript, Python, Java, C#/.Net, and (in developer preview) Go.

Why we chose AWS CDK

Developer-friendly.

It gives us the ability to define our IaC using a familiar programming language and utilize the full power of the programming languages (TypeScript in our case). As a result, we can write less and do more than AWS CloudFormation without context switching and a gradual learning curve.

Accelerates the development process.

We needed a solution to enable our team to scale, add new services, and expand our cloud infrastructure to meet our new and frequently changing product requirements.

Write reusable and sharable IaC code.

Be able to easily customize our IaC components in a modular and reusable way that meets our team’s security standards and helps us provision common cloud infrastructure patterns faster.

Easy to integrate with our CI/CD pipelines.

We wanted a framework that could integrate seamlessly with our deployment pipelines.

TDD for IaC.
Testing our infrastructure code using industry-standard libraries and all in the same tooling made us faster.

How we used AWS CDK with AWS SDK to manage our cloud infrastructure across teams

Before releasing a new project, as a security practice, we ingest our APIs and application logs to a dedicated Kinesis stream (owned by our security team) for the security team to analyze. However, since our IaC stack does not manage the AWS resources our security team provisions, we had to develop a creative way to keep the integration between the two stacks as code yet simple to avoid honest mistakes and human errors.

Using the power of the CfnOutput construct in CDK, we can output the needed values that we can later import into other stacks or simply redirect to a file on the local file system.

So we saved all the needed values from our managed CDK stack to a JSON file, then ran an after-deploy script that parsed, loaded these values, and used the AWS SDK to update the AWS resources owned by our security team. First, of course, we had to update our CI/CD pipeline IAM role permissions to update these resources.

Demo CDK Stack

I’ll create a simple CDK stack for demo proposes consisting of an API gateway, AWS Lambda, and Log group.

The Acme App AWS CDK stack

The after deploy script to update the unmanaged AWS resources using AWS SDK

Then we run the following CLI cmd to deploy the CDK stack and update the cross-team resources using the after-deploy-updates.ts script.

cdk deploy -O cdk.out/stack-outputs.json && npx ts-node after-deploy-updates.ts

Conclusion

Give AWS CDK a try. It provisions new projects safely, sharable, and reusable with security, compliance, and governance best practices.

We migrated our deepwatch MOBILE backend IaC from AWS Amplify to AWS CDK in two weeks, right before our GA release date. It was a seamless migration that allowed us to iterate faster after the release. Looking ahead, we will be migrating the rest of our products IaC from AWS CloudFormation and SAM to AWS CDK.

Work at deepwatch

Our team is growing. Join our team to reshape the future of managed
security services by working on cutting-edge technologies and solving challenging yet fun problems.