IaC with Programming Languages Using AWS CDK - Designing Constructs and Stacks
Learn about defining infrastructure with TypeScript/Python using CDK, choosing between L1/L2/L3 constructs, and testing techniques.
CDK Overview
CDK is an IaC framework that lets you define AWS infrastructure in five languages: TypeScript, Python, Java, C#, and Go. Instead of hand-writing CloudFormation YAML/JSON templates, you define resources using programming language classes and methods. CDK automatically generates CloudFormation templates and executes deployments.
Constructs and Testing
L1 constructs are one-to-one mappings of CloudFormation resources, where all properties must be explicitly specified. L2 constructs come with best-practice defaults applied; for example, S3 buckets have encryption and versioning enabled by default. L3 constructs (patterns) are high-level abstractions that combine multiple resources; LambdaRestApi builds API Gateway and Lambda together in one step. Using the Assertions module with hasResourceProperties, you can test that the generated template contains the expected resources and properties.
Self-Mutation with CDK Pipelines
CDK Pipelines enables a "self-mutation" pattern where the pipeline itself is defined in CDK, and pipeline configuration changes are also deployed through the pipeline. Using CodePipeline as the backend, it automatically configures stages for source retrieval, cdk synth, self-update, and deployment. For multi-account and multi-region deployments, the Wave and Stage concepts let you declaratively describe parallel deployments and ordering control. For example, you can define a flow that deploys to a development environment first, includes a manual approval step, and then deploys to production - all in just a few dozen lines of code. Incorporating cdk diff into pull request checks visualizes the impact of infrastructure changes during review, enabling early detection of unintended resource deletions or replacements. To broaden your knowledge of development tools, specialized books on Amazon can also be useful.
Governance with Aspects and Custom Rules
CDK's Aspects feature is a mechanism that traverses all constructs in a stack to perform cross-cutting validation and enforce property application. For example, you can create an Aspect that enforces encryption on all S3 buckets or one that adds tags to all Lambda functions. The cdk-nag library provides AWS best practices and compliance rules for standards like NIST and HIPAA as Aspects, detecting violations during cdk synth. You can also create custom Aspects to enforce organization-specific rules (naming conventions, region restrictions, public access prohibition, etc.). This enables prevention of policy violations at code-writing time, rather than post-deployment detection through CloudFormation Guard or Config Rules.
CDK Pricing
CDK itself incurs no additional charges. CDK is a tool that generates CloudFormation templates, and costs consist only of the usage fees for deployed AWS resources. When building CI/CD pipelines with CDK Pipelines, CodePipeline and CodeBuild charges apply. S3 storage for templates generated by cdk synth (the CDK bootstrap bucket) also incurs a small storage fee, but it is negligible in practice. Compared to hand-writing CloudFormation YAML, there is zero additional cost from adopting CDK.
Summary
CDK is an IaC framework that leverages the expressiveness of programming languages to define AWS infrastructure. You can choose abstraction levels through the L1-L3 construct hierarchy, build self-mutating CI/CD with CDK Pipelines, and enforce governance rules at the code level with Aspects. Its greatest strength is the ability to define flexible infrastructure with conditionals and loops, going beyond the declarative constraints of CloudFormation.