A comprehensive multi-environment AWS infrastructure project built with AWS CDK (Cloud Development Kit) using Python. This project demonstrates best practices for deploying AWS resources across multiple environments (dev, staging, production) with security and cost optimization in mind.
- Overview
- Architecture
- Prerequisites
- Getting Started
- Project Structure
- Deployment
- Stack Documentation
- Environment Configuration
- Security Best Practices
- Cost Optimization
- Troubleshooting
This project provisions the following AWS resources:
- VPC Stack: Virtual Private Cloud with public, private, and isolated subnets
- EC2 Stack: EC2 instances with security groups and IAM roles
- S3 Stack: S3 buckets with encryption, versioning, and lifecycle policies
- DynamoDB Stack: DynamoDB tables with auto-scaling and point-in-time recovery
- Lambda Stack: Lambda functions with CloudWatch monitoring
- EKS Stack: Elastic Kubernetes Service cluster (optional, commented out by default due to cost)
β
Multi-Environment Support: Dev, Staging, and Production environments
β
Security First: Encryption at rest, VPC isolation, IAM least privilege
β
Cost Optimized: Environment-specific configurations for resource sizing
β
Infrastructure as Code: Full CDK implementation with Python
β
Monitoring: CloudWatch logs, alarms, and X-Ray tracing
β
Compliance: VPC Flow Logs, S3 access logging, DynamoDB PITR
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS Account β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β VPC (10.x.0.0/16) β β
β β ββββββββββββββββββ ββββββββββββββββ β β
β β β Public Subnet β β Private β β β
β β β β β Subnet β β β
β β β - EC2 (dev) β β - EC2 β β β
β β β - NAT Gateway β β - EKS Nodes β β β
β β ββββββββββββββββββ ββββββββββββββββ β β
β β β β
β β ββββββββββββββββββ β β
β β β Isolated β β β
β β β Subnet β β β
β β β - Databases β β β
β β ββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β S3 Bucket β β DynamoDB β β Lambda β β
β β (Encrypted) β β Table β β Functions β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Before you begin, ensure you have the following installed:
- Python 3.8+: Download
- pip: Python package manager (usually included with Python)
- AWS CLI (v2): Installation Guide
- AWS CDK (v2):
npm install -g aws-cdkor installed globally - Git: For version control
- AWS Account: Active AWS account with appropriate permissions
- AWS Credentials: Configure AWS credentials locally
aws configure
- CDK Bootstrap: Bootstrap your AWS account for CDK
cdk bootstrap aws://ACCOUNT-NUMBER/REGION
git clone <repository-url>
cd cdk-infra# Create virtual environment
python3 -m venv .venv
# Activate virtual environment
# On macOS/Linux:
source .venv/bin/activate
# On Windows:
.venv\Scripts\activate# Upgrade pip
pip install --upgrade pip
# Install dependencies
pip install -r requirements.txtEdit config/environment_config.py to customize settings for your environments.
Generate CloudFormation templates without deploying:
# Development environment
cdk synth --context environment=dev
# Staging environment
cdk synth --context environment=staging
# Production environment
cdk synth --context environment=prod# Deploy to development (using helper script)
./scripts/deploy.sh dev deploy
# Deploy to staging
./scripts/deploy.sh staging deploy
# Deploy to production (requires manual approval)
./scripts/deploy.sh prod deploy
# Or use CDK directly
cdk deploy --all --context environment=dev --require-approval nevercdk-infra/
βββ app.py # CDK app entry point
βββ config/
β βββ __init__.py
β βββ environment_config.py # Environment-specific configurations
βββ stacks/
β βββ __init__.py
β βββ vpc_stack.py # VPC and networking infrastructure
β βββ ec2_stack.py # EC2 instances and security groups
β βββ s3_stack.py # S3 buckets with security settings
β βββ dynamodb_stack.py # DynamoDB tables
β βββ lambda_stack.py # Lambda functions
β βββ eks_stack.py # EKS cluster (optional)
βββ lambda/
β βββ index.js # Lambda function code
βββ docs/
β βββ VPC.md # VPC stack documentation
β βββ EC2.md # EC2 stack documentation
β βββ S3.md # S3 stack documentation
β βββ DYNAMODB.md # DynamoDB stack documentation
β βββ LAMBDA.md # Lambda stack documentation
β βββ EKS.md # EKS stack documentation
βββ scripts/
β βββ deploy.sh # Deployment helper script
β βββ clean.sh # Cleanup script
βββ cdk.json # CDK configuration
βββ requirements.txt # Python dependencies
βββ requirements-dev.txt # Development dependencies
βββ setup.py # Python package setup
βββ .gitignore # Git ignore rules (includes security)
The project supports three environments with different configurations:
| Environment | VPC CIDR | NAT Gateways | EC2 Type | DynamoDB Mode |
|---|---|---|---|---|
| Development | 10.0.0.0/16 | 1 | t3.micro | PAY_PER_REQUEST |
| Staging | 10.1.0.0/16 | 2 | t3.small | PAY_PER_REQUEST |
| Production | 10.2.0.0/16 | 3 | t3.medium | PROVISIONED |
# List all stacks
cdk list --context environment=dev
# Show differences before deployment
cdk diff --all --context environment=dev
# Deploy all stacks
cdk deploy --all --context environment=dev --require-approval never
# Deploy specific stack
cdk deploy cdk-infra-dev-VPC --context environment=dev
# Destroy all stacks (BE CAREFUL!)
cdk destroy --all --context environment=dev --force# Deploy to an environment
./scripts/deploy.sh dev deploy # Deploy to dev
./scripts/deploy.sh staging diff # Show staging changes
./scripts/deploy.sh prod synth # Generate prod templates
./scripts/deploy.sh dev destroy # Destroy dev environment
# Clean up build artifacts
./scripts/clean.shStacks are deployed in the following order due to dependencies:
- VPC Stack (no dependencies)
- S3 Stack (no dependencies)
- DynamoDB Stack (no dependencies)
- EC2 Stack (depends on VPC)
- Lambda Stack (depends on VPC, S3, DynamoDB)
- EKS Stack (depends on VPC) - Optional, commented out by default
Detailed documentation for each stack:
- VPC Stack - Network infrastructure and VPC configuration
- EC2 Stack - EC2 instances, security groups, and IAM roles
- S3 Stack - S3 buckets, encryption, and lifecycle policies
- DynamoDB Stack - DynamoDB tables and indexes
- Lambda Stack - Lambda functions and monitoring
- EKS Stack - Kubernetes cluster setup and configuration
Environment configurations are managed in config/environment_config.py. Each environment has specific settings for:
- VPC CIDR blocks
- Number of Availability Zones
- NAT Gateway count
- Instance types and sizes
- DynamoDB billing modes
- Lambda memory and timeout
- EKS cluster sizing
- Edit
config/environment_config.py - Activate virtual environment:
source .venv/bin/activate - Review changes:
cdk diff --all --context environment=dev - Deploy:
./scripts/deploy.sh dev deploy
This project implements AWS security best practices:
- Private subnets for application workloads
- Isolated subnets for databases
- VPC Flow Logs enabled
- Security groups with least privilege
- S3 bucket encryption at rest (S3-managed keys)
- DynamoDB encryption at rest (AWS-managed keys)
- SSL/TLS enforcement for S3
- Block all public S3 access
- EC2 in private subnets (production)
- EKS private endpoints (production)
- CloudWatch Logs for all resources
- Lambda X-Ray tracing
- DynamoDB Point-in-Time Recovery (production)
- S3 access logging (production)
- Least privilege IAM policies
- SSM Session Manager instead of SSH keys
- Managed policies where appropriate
WARNING: This is a public repository. The
.gitignorefile is configured to prevent sensitive data from being committed:
- Never commit AWS credentials
- Never commit private keys or certificates
- Never commit environment-specific secrets
- Review
.gitignorebefore making commits
- Use Development Environment for Testing: Dev environment uses smaller, cheaper resources
- EKS is Expensive: EKS stack is commented out by default. Uncomment only when needed.
- NAT Gateway Costs: Dev uses 1 NAT gateway, Staging uses 2, Prod uses 3
- DynamoDB Billing: Dev/Staging use on-demand, Prod uses provisioned with auto-scaling
- Clean Up Unused Resources: Use
./scripts/deploy.sh dev destroyto remove dev resources when not in use
| Environment | Estimated Cost* |
|---|---|
| Development | $50-100/month |
| Staging | $100-200/month |
| Production | $200-500/month |
*Costs vary based on usage, data transfer, and optional EKS deployment ($70+/month for control plane alone)
# Use AWS Cost Explorer
aws ce get-cost-and-usage \
--time-period Start=2025-10-01,End=2025-10-31 \
--granularity MONTHLY \
--metrics "BlendedCost" "UnblendedCost"Error: This stack uses assets, so the toolkit stack must be deployed to the environment
Solution: Bootstrap your account
cdk bootstrap aws://ACCOUNT-NUMBER/REGIONError: User is not authorized to perform: iam:CreateRole
Solution: Ensure your IAM user/role has administrator access or specific CDK permissions
Error: Bucket already exists
Solution: S3 bucket names must be globally unique. CDK generates unique names automatically, but check for conflicts.
ModuleNotFoundError: No module named 'aws_cdk'
Solution: Activate virtual environment and install dependencies
source .venv/bin/activate
pip install -r requirements.txtError: Stack creation timed out
Solution: EKS can take 15-20 minutes to create. Increase timeout or wait for completion.
Error: python3: command not found
Solution: Ensure Python 3.8+ is installed
python3 --version
# If not installed, download from python.orgError: User is not authorized to perform: iam:CreateRole
Solution: Ensure your IAM user/role has administrator access or specific CDK permissions
Error: Bucket already exists
Solution: S3 bucket names must be globally unique. CDK generates unique names automatically, but check for conflicts.
ModuleNotFoundError: No module named 'aws_cdk'
Solution: Activate virtual environment and install dependencies
source .venv/bin/activate
pip install -r requirements.txtError: Stack creation timed out
Solution: EKS can take 15-20 minutes to create. Increase timeout or wait for completion.
- AWS CDK Documentation: https://docs.aws.amazon.com/cdk/
- AWS CDK API Reference: https://docs.aws.amazon.com/cdk/api/v2/
- CDK Workshop: https://cdkworkshop.com/
- AWS Support: https://aws.amazon.com/support/
This project is open source and available under the MIT License.
Contributions are welcome! Please ensure:
- No sensitive data in commits
- Follow Python best practices (PEP 8)
- Update documentation for changes
- Test in dev environment first
- Use type hints where appropriate
For issues and questions:
- Open a GitHub issue
- Check the troubleshooting section
- Review stack-specific documentation in
/docs
Note: Always review generated CloudFormation templates before deploying to production. Use cdk synth --context environment=prod to generate and review templates.