Authors, deploys, and troubleshoots AWS infrastructure using CDK with TypeScript or Python. Covers best practices, stack architecture, and construct patterns.…
AWS CDK Overview Domain expertise for CDK construct authoring, deployment workflows, compliance, drift, importing resources, safe refactoring, and troubleshooting CDK CLI / CloudFormation errors. When NOT to use: Raw CloudFormation YAML/JSON. SAM. Terraform/Pulumi. CI/CD beyond CDK Pipelines. Use builtin knowledge or specialized skills for these. Critical Warnings Deadly embrace: Removing a cross-stack reference deadlocks deployment (Export ... cannot be deleted as it is in use by ...). Preferred fix: weaken the reference first — CrossStackReferences.of($RESOURCE).produce(ReferenceStrength.BOTH) then WEAK, then remove (three deploys). Legacy fallback: two-deploy this.exportValue() recipe. See troubleshooting-deployment. Construct ID changes cause replacement: Renaming/moving a construct changes its logical ID → CloudFormation replaces the resource (data loss for stateful resources). Always cdk diff before deploy. See refactor-and-prevent-replacement. UPDATE_ROLLBACK_FAILED: Stack is stuck. Fix with cdk rollback $STACK or cdk rollback $STACK --orphan <LogicalId>. See troubleshooting-deployment. Non-empty S3 buckets persist after destroy: You MUST set both removalPolicy: DESTROY and autoDeleteObjects: true. Versioned buckets are worse — delete markers persist even after apparent deletion. Common Workflows
don't have the plugin yet? install it then click "run inline in claude" again.
added explicit inputs with AWS credential and bootstrap requirements, expanded procedure into nine granular steps with clear inputs/outputs/checkpoints, documented six major decision points covering construct levels and common failure modes, specified output contract with file locations and schema details, and defined seven concrete outcome signals for validation
use this skill to build AWS infrastructure in TypeScript with reusable constructs, safe defaults, and a validation-first delivery loop. pick this when creating or refactoring a CDK app, stack, or custom construct; choosing between L1, L2, and L3 abstractions; building serverless, networking, or security-focused infrastructure; wiring multi-stack applications with environment awareness; or validating infrastructure changes before deployment.
AWS credentials and environment
AWS_REGION: target region for deployment (e.g., us-east-1, eu-west-1)CDK_DEFAULT_ACCOUNT: AWS account ID (retrieved from credentials if not set)CDK_DEFAULT_REGION: fallback region if not specified in stack propsproject setup
npm install -g aws-cdk) or as a dev dependencycdk.json file (auto-generated during init)CDK bootstrap (one-time per account/region)
cdk bootstrap aws://<account>/<region> before first deploy to each environmentcontext values and parameters
cdk.json or passed via cdk deploy -c key=valueexternal integrations (optional)
step 1: initialize a new CDK app
npx cdk init app --language typescript to scaffold a new projectmy-cdk-app/ directory with bin/, lib/, test/, cdk.json, tsconfig.json, package.jsonnpx cdk init in an already-initialized directorystep 2: define your stack(s) in lib/
Stack that describes resources using L2 or L3 constructsremovalPolicy: RemovalPolicy.RETAIN for stateful resources in productionremovalPolicy: RemovalPolicy.DESTROY only for temporary/dev environmentsbin/step 3: instantiate stacks in bin/ entry point
App instance and instantiate one or more stacks with environment-specific propertiesenv: { account: '<account>', region: '<region>' } to avoid implicit defaultsapp.synth() at the end to generate CloudFormationstep 4: write infrastructure assertions in test/
Template.fromStack() to extract the synthesized CloudFormationtemplate.hasResourceProperties(), template.resourceCountIs(), template.fromJSON() helpersstep 5: run cdk synth to generate CloudFormation
lib/ and entry point from bin/npx cdk synth (outputs cdk.out/ directory with CloudFormation templates)cdk.out/<stack-name>.json CloudFormation template ready for reviewstep 6: run cdk diff to preview changes
npx cdk diff [stack-id] to compare proposed vs deployed infrastructurecdk diffstep 7: run infrastructure tests
test/ directorynpm test (typically runs Jest or Vitest configured in package.json)step 8: run cdk deploy to apply changes
npx cdk deploy [stack-id] to deploy a single stack, or npx cdk deploy --all for all stacksCREATE_COMPLETE or UPDATE_COMPLETE in the AWS consolestep 9: verify runtime outcomes
if using L1 (Cfn) vs L2 vs L3 constructs:*
.grantRead() and .grantWrite().LambdaRestApi) for multi-resource architectures that recur across stacks.if synthesis fails:
import * as s3 from 'aws-cdk-lib/aws-s3').cdk.json under the context key, or pass via cdk synth -c key=value.if cdk diff shows risky changes (IAM expansion, resource replacement, or deletes on stateful data):
bucketName), or altered the construct instance ID. revert the change or accept replacement if safe.removalPolicy is set to RETAIN or SNAPSHOT in production. adjust and rerun cdk diff.if cdk deploy fails:
cloudformation:*, iam:*, s3:*, and service-specific permissions (e.g., lambda:*, rds:*).cdk bootstrap aws://<account>/<region> once per environment before first deploy.cdk deploy.if cross-stack references are used:
if no environment is specified in stack props:
CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION env vars. if not set, synthesis may fail or deploy to an unintended account.env: { account, region } to avoid surprises, especially for production stacks.synthesis output (cdk synth)
cdk.out/ directory (committed to .gitignore by default)<stack-name>.json (CloudFormation template in JSON)cdk.out/assets/ contains Docker image digests and Lambda layer asset hashesdeployment output (cdk deploy)
CREATE_COMPLETE (new stack) or UPDATE_COMPLETE (updated stack)CfnOutput objects visible in CloudFormation outputs tab and available via aws cloudformation describe-stackstest output (npm test)
successful skill execution is confirmed by:
cdk synth outputs cdk.out/<stack-name>.json without missing imports, invalid props, or missing contextcdk diff shows intended additions, modifications, and no unintended IAM expansions or data loss on stateful resourcesnpm test confirms all assertions on critical resources, IAM scope, and outputscdk deploy reaches CREATE_COMPLETE or UPDATE_COMPLETE in CloudFormation console within expected timeaws cloudformation describe-stacks --stack-name <name> returns Outputs with expected values (ARNs, endpoints, bucket names, etc.)