CDK Stacks
All AWS infrastructure is provisioned with AWS CDK (TypeScript) located in infra/aws/. The CDK app reads environment-specific configuration from infra/aws/config/nhic.json.
| Field | Value |
|---|---|
| Entry point | infra/aws/bin/infra.ts |
| Config | infra/aws/config/nhic.json |
| Runtime | Node.js 22.17+ |
| CDK version | 2.207.0 |
Deploying
Always run cdk diff before cdk deploy in production. Changes to Cognito user pools, CloudFront distributions, or Route53 records affect live users and may cause brief downtime.
Navigate to the CDK project
cd infra/awsInstall dependencies
pnpm installConfigure AWS credentials
Authenticate to account 600627345833 using SSO or temporary access keys. OIDC is used in CI — for local deployments, configure credentials via aws configure sso or export environment variables.
Bootstrap (first time only)
npx cdk bootstrapThis provisions the CDK toolkit stack in the account and region. Only needed once per account/region pair.
Preview changes
npx cdk diffReview the diff carefully before proceeding. Any replacement (marked with -/+) of stateful resources requires extra caution.
Deploy
npx cdk deploy --allTo deploy a single stack, replace --all with the stack name, e.g. npx cdk deploy NhicCognitoStack.
Secrets
CDK generates secrets and stores them in AWS Secrets Manager under two prefixes:
| Secret path | Contents |
|---|---|
cluster-secrets | Rotating credentials — DB passwords, API keys, MinIO access/secret keys |
cluster-static-secrets | Non-rotating config values referenced by Kubernetes workloads |
The External Secrets Operator (Helm chart external-secrets) runs in the EKS cluster and syncs these secrets into Kubernetes Secret objects on a schedule. Workloads consume them as environment variables or mounted files — they never read from Secrets Manager directly.