Jul 23, 2024

Unlocking the Power of AWS CDK: Why It’s Our Default Infrastructure as Code Tool

author's image Morten Jensen
7 minutes read

Querying CloudTrail Logs in an AWS Organization with Athena

Background

At Virtuability, we’re always on the lookout for tools that can enhance our AWS consulting services and deliver maximum value to our customers.

Over the past number of years, when it comes to Infrastructure as Code (IaC), we’ve found that the AWS Cloud Development Kit (CDK) increases productivity considerably and allows us build-in governance and support guardrails from the onset of stack development, for both Landing Zone components and App stacks alike.

Here’s why we believe that the CDK, which is underpinned by CloudFormation, is a great choice for managing AWS infrastructure.

Native AWS Integration

The AWS CDK is built for AWS, offering seamless integration with the AWS ecosystem. The native compatibility with Cloudformation ensures that you’re working with the majority of AWS features and services.

Open Source

The AWS CDK is an open source development framework with a large, active community of volunteers.

Extensibility & Third-Party constructs

There’s a large, public Construct Hub, which provides many third-party constructs including from large software vendors, which helps to integrate vendor services with relative ease to AWS environments.

The Power of Programming Languages

Unlike other IaC tools that use domain-specific languages, CDK allows you to define your infrastructure using familiar programming languages like TypeScript, Python, Java etc. This approach leverages your existing development skills, making it easier to create complex, dynamic infrastructure definitions.

Bringing the power of imperative development on top of a declarative deployment mechanism makes conditional logic and configuration much simpler to handle.

Multi-Region and Multi-Account Deployments

CDK excels at managing multi-region and multi-account deployments. You can easily define stacks that deploy resources across different regions or accounts, all from a single CDK application. This capability is crucial for organisations with complex, distributed architectures or those adhering to AWS’s well-architected framework.

The added benefit is that when using Cloudformation there is no need for complex handling of cross-stack state.

Enhanced Security with Custom Bootstraps

The CDK’s bootstrap process can be customized and hardened, allowing you to implement strict security controls. For instance, you can deploy the bootstrap as a stack set across accounts and regions in your AWS Organization, ensuring consistent security measures across all accounts.

You can also create multiple bootstraps for different roles, providing fine-grained access control. For example Platform and DevOps engineers can use a more permissive bootstrap with a distinct CDK qualifier while App developers use a more restricted bootstrap.

In addition, IAM roles and policies can be namespaced to provide separation between for instance Landing Zone concerns and App concerns.

Deployment Role Permission Boundaries

The CDK allows you to set IAM permission boundaries on deployment roles, limiting the scope of actions that can be performed during deployments. This additional layer of security helps prevent unintended permissions while offering flexibility to the principle of least privilege.

We find that using IAM permission boundaries in conjunction with Aspects (instead of hardcoding in cdk.json) provides a very flexible approach to managing attachment multiple permission boundaries.

Streamlined CI/CD Integration

The CDK integrates beautifully with CI/CD pipelines. Whether you’re using CDK Pipelines or third-party tools like GitHub Actions, you can automate your infrastructure deployments without exposing sensitive permissions directly to users. The deployment role, which can only be used by CloudFormation, adds an extra layer of security to your CI/CD process.

Flexibility with Aspects & Escape Hatches

The CDK’s Aspects provide powerful mechanisms for applying changes across your entire infrastructure stack. These features allow you to implement cross-cutting concerns, such as adding permission boundaries to roles, enforcing specific security groups etc., with minimal effort.

For instance, cdk-nag also uses Aspects.

While the CDK abstracts away much of the complexity of CloudFormation, it also provides escape hatches that allow you to override CDK construct Properties or even drop down to setting Properties in raw CloudFormation, when needed. This flexibility ensures that you’re not limited by the CDK’s abstractions and can implement advanced or custom configurations.

Reusable Components with Constructs

The CDK’s concept of Constructs allows you to create reusable components that encapsulate both infrastructure and logic. This promotes code reuse, reduces duplication and allows you to build a library of best-practice implementations that can be shared across projects and teams.

Automatic Dependency Management

The CDK automatically manages dependencies between resources, reducing the likelihood of deployment errors due to incorrect resource ordering. This feature significantly simplifies the process of creating complex, interconnected infrastructure.

Unit Testing

Support for unit testing in AWS CDK apps comes out-of-the-box.

AWS CDK unit testing offers numerous advantages for developers working with infrastructure as code. By implementing unit tests for CDK constructs and stacks, teams can catch errors early in the development process, improve code quality and reduces the likelihood of deployment issues in production.

The tests allow developers to verify that their stacks contain the expected resources, that resources are configured correctly and expected properties are set accurately. Unit testing also facilitates easier refactoring and maintenance of the CDK app code, as changes can be quickly validated against existing tests.

Furthermore, it promotes better documentation and understanding of the infrastructure design, as tests serve as executable specifications. Ultimately, CDK unit testing leads to more reliable, maintainable and scalable cloud infrastructure, saving time and resources in the long run while improving overall system stability.

State management

State management of deployed stacks is handled automatically via Cloudformation. There is no need for additional services or configuration to handle state, whether for a single or multi-account or region app.

Cloudformation handles all of the heavy-lifting including rollback of failed deployments.

In addition, through the CDK it’s possible to generate easy-to-interpret comparison of an existing stack against changes in the app through excellent cdk diff’s.

Finally, Cloudformation ChangeSets now offer much improved change visibility, which helps engineers understand the potential impact of changes.

Governance & Guardrails

To build robust governance and guardrails into AWS CDK apps, developers can leverage tools like cdk-nag and CfnGuardValidator.

These utilities help enforce best practices, security standards and compliance requirements throughout the infrastructure-as-code lifecycle. cdk-nag integrates seamlessly with CDK stacks, providing rule packs that can be customized to match organisational policies.

CfnGuardValidator is backed by existing Control Tower Proactive Controls and also allows for the creation of custom rules to validate CloudFormation templates.

By incorporating these tools and unit tests into CI/CD pipelines, teams can automate the process of checking for potential issues before deployment, ensuring that infrastructure changes adhere to predefined standards. This approach not only enhances security and compliance but also promotes consistency across projects and reduces the risk of misconfigurations making their way into production environments.

Drawbacks

As always, no one tool is perfect.

  1. Performance. The CDK can at times feel slow if the system it’s run on does not have sufficient memory, CPU or disk performance. Also, virus/malware scanners can have an considerably impact on performance.

  2. When there are no CDK L2 constructs to support a service (e.g. Sagemaker domains, Transit Gateway etc.) it can be awkward and quite verbose to use L1 constructs.

  3. Cloudformation has traditionally been considered “slow” to deploy stacks when compared to alternatives. However, features such as Optimistic Stabilisation have helped considerably with overall stack deployment time

  4. Sharing of cross-region/cross-account input and output dependencies could be simpler and less elaborate

Conclusion

At Virtuability, we’ve found that the AWS CDK provides a lot of power, flexibility and ease of use for deploying AWS infrastructure.

Whether you’re managing a simple application or a complex, multi-region, multi-account infrastructure, CDK can help. By leveraging the CDK, we help our customers create more maintainable, secure and efficient AWS environments, enabling them to focus on what truly matters – delivering value to their customers.

Finally, note that the Best practices for developing and deploying cloud infrastructure with the AWS CDK page is a valuable resource for using the AWS CDK effectively.

If you’re interested in learning how the AWS CDK can transform your infrastructure management, reach out to us at Virtuability. We’re here to help you harness the full power of AWS and take your cloud infrastructure to the next level.

We have the tools to understand your cloud and the guidance to make the most of it.

GET IN TOUCH

Schedule a call with a us and find out what Virtuability can do for you.

GET STARTED