Skip to Content

CDK Stacks

All AWS infrastructure is provisioned with AWS CDK (TypeScript) located in infra/aws/. The CDK app reads environment-specific configuration from infra/aws/config/nhic.json.

FieldValue
Entry pointinfra/aws/bin/infra.ts
Configinfra/aws/config/nhic.json
RuntimeNode.js 22.17+
CDK version2.207.0

Deploying

Always run cdk diff before cdk deploy in production. Changes to Cognito user pools, CloudFront distributions, or Route53 records affect live users and may cause brief downtime.

cd infra/aws

Install dependencies

pnpm install

Configure AWS credentials

Authenticate to account 600627345833 using SSO or temporary access keys. OIDC is used in CI — for local deployments, configure credentials via aws configure sso or export environment variables.

Bootstrap (first time only)

npx cdk bootstrap

This provisions the CDK toolkit stack in the account and region. Only needed once per account/region pair.

Preview changes

npx cdk diff

Review the diff carefully before proceeding. Any replacement (marked with -/+) of stateful resources requires extra caution.

Deploy

npx cdk deploy --all

To deploy a single stack, replace --all with the stack name, e.g. npx cdk deploy NhicCognitoStack.

Secrets

CDK generates secrets and stores them in AWS Secrets Manager under two prefixes:

Secret pathContents
cluster-secretsRotating credentials — DB passwords, API keys, MinIO access/secret keys
cluster-static-secretsNon-rotating config values referenced by Kubernetes workloads

The External Secrets Operator (Helm chart external-secrets) runs in the EKS cluster and syncs these secrets into Kubernetes Secret objects on a schedule. Workloads consume them as environment variables or mounted files — they never read from Secrets Manager directly.

Last updated on