CDK has landed and the AWS community is hyped - it was all the rage at the last AWS re:Invent, and thatâs why Iâd like to talk about what CDK introduces to an IaC world. CDK is a game changer for all things infrastructure-as-code for AWS resources, and in this post, Iâm going to dive into why that is, what it introduces, and how you can get started and even migrate existing resources.
â
Just so weâre on the same page, what exactly is AWS CDK? CDK, AKA AWS Cloud Development Kit, is the successor of AWSâs CloudFormation that has been used to date for automating and codifying AWS cloud resources. Because of CloudFormationâs inherent limitations, this opened the door for the popular infrastructure as code tools we have all grown to love, such as Terraform and Pulumi that, while they are not AWS native, still often delivered better IaC results than CloudFormation (particularly with diverse stacks).
â
CDK is set to introduce a completely new and universal way to configure cloud resources that doesnât require a proprietary DSL or config language - like HCL or YAML - but rather is built to be configured in your programming language of choice, namely Golang, Python, and NodeJS. The move to CDK is a result of two main factors. Â
â
First, AWS are looking to provide a much more native experience for their very own cloud, which actually wasnât very native with CloudFormation and led people to prefer non-AWS tooling to configure their cloud resources. The second reason is that CloudFormation wasnât built for the complexity and scale of cloud operations today, and simply couldnât keep up. When you need to write really complex IaC with many dependencies chaining one resource to another, and build a dependency graph and tree in CloudFormation, { but really any config language }, itâs going to be very long, and many times super buggy.Â
â
Another limitation in CloudFormation is when working with multi-region operations (which is certainly a common, and correct practice for high availability purposes). In order to be able to use CloudFormation with multi-region youâll need to employ another AWS duct tape service called âstack setâ, which makes your IaC even more complex.
â
Whatâs All the Hype?
CDK not only enables developersââ who today many times have gained the added fun of having to configure their own environmentsââ to write their cloud config in their favorite programming language, but on top of this, itâs super Amazon-oriented. It has been built to work seamlessly with AWS services and be much more AWS-native than its predecessor CloudFormation, and is now slated to be better than third party tools for configuring AWS services and resources.
â
The first improvement this introduces over existing IaC tools is that when you have the option to configure your resources in the same programming language as your applicationâs code, you can use the same language libraries, and you donât need to create a new YAML repo, for creating specific IaC code. So now, youâll gain the benefit of having your configurations be in the same repo and code library, when doing any other code implementations. The second improvement is that you also gain all of the benefits of using your programming language for your configurations, in the form of code reuse, shared libraries and classes, environment variables and much more.Â
â
How Does AWS CDK Stack Up Against Other IaCs?
Weâll start with Terraform, as Pulumi is actually built upon the underlying Terraform engine, and some of this will hold true for both. When it comes to third-party IaC tools, CDK isnât a hands-down 100% winner as it clearly is vs. CloudFormation, which has been in need of an upgrade for many years. Like with all things in development, when it comes to third-party IaC it highly depends on the use case.
â
So the most obvious reason CDK would trump third-party tools for AWS config, is that unlike CloudFormation, CDK has been built to be highly native to AWS. And while both Terraform and Pulumi work very well for the AWS config use case, they are not specifically built solely for AWS and there are times well youâll run into edge cases where it simply is not a perfect fit for AWS.
â
An example of such a scenario. Iâve had times when Iâve written security groups (and even log groups) that have been dependent on an instance, and Iâve wanted to delete the security group, but not the instance, which I still need. Terraform has failed in such a scenario, when you donât delete the instance, and doesnât always quite know how to deal with such scenarios. This would hold true for Pulumi in this case as well, which leverages the same Terraform engine. This is of course only one example, but there are many other similar examples that exist in the DevOps world.
â
Just to make sure youâre really convinced, an even more frustrating scenario that Iâve likely encountered even more often than the security group is with scaling groups. When modifying a launch configurationâs user data that is attached to a scaling group - youâll encounter similar behavior that is equally difficult or impossible to solve.
â
Third-party tools however would be a much better fit for your environment when you are working with a diverse tool set - for example multiple clouds, or platforms such as Datadog and Auth0, that have better native integrations with third-party IaC tools. Also note, that all of the IaC providers have understood that the move is towards CDK, and they are building their own native CDK implementations - such as CDK for Terraform, and CDK8S.  Â
â
How Does AWS CDK Actually Work?
This is probably the part you have been waiting to get to. So how does AWS CDK actually work in practice, and how do you migrate existing resources? Â
â
If you are already working in Golang - and have a repo written in Golang - migrating your IaC into Go is pretty easy, and the outcome will be that itâs going to be fully attached to your already existing project. This, of course, always depends on the number of resources being migrated and their complexity, but overall the rewrite itself isnât too hard, it might just be time consuming.
â
You will need to rewrite all of the resources, as there currently isnât a robust enough tool out there to enable backwards compatibility or the reverse engineering of YAML to Golang for example. However, since you do have the benefits of code reuse, variables, and classes, this often not a very heavy lift.
â
Also, it is possible to use a hybrid approach until you manage to convert all of your resources.
â
Another benefit is that you can actually see the diffs between the config files, so you can see how much progress you have made, what remains to be converted, and be able to get a pretty accurate schedule for the migration.
â
Show Me the Code
â
Below we will dive into a real example of migrating your CloudFormation to CDK in Golang.
â
This is what the code will look for migrating a CloudFormation YAML file:
â
And this would be the end result of your migrated file to Golang (as you can see itâs significantly shorter and easier to read):
â
â
Once the CDK template is deployed you will be able to find the CDK artifacts in the AWS console (where you will be able to find the resources that the sample code above created in AWS ).
â
The Case for AWS CDK
So I hope this was a useful overview of what CDK is, how and when to use it in your stacks and environments, with a practical example of a CloudFormation migration. We expect there to be much more traction around CDK, and many more integrations and examples to be rolled out in the coming weeks and months.Â
We may also start to see useful tooling to help convert existing files at scaleââalbeit there are already some, they arenât quite ready for showtime. So this is definitely a great resource and an AWS area to watch, and start planning your move to CDK when the time is right for you and the fit right for your stack.
â
Image source:Â https://www.nbtl.blog/aws/getting-started-with-aws-cdk/