sebastien.tech
DevOps·

Deploy Your AWS CDK Applications with GitHub Actions

Streamline your infrastructure deployment by automating AWS CDK with GitHub Actions. Discover ready-to-use workflows for TypeScript and Python, and best practices for secure, efficient CI/CD pipelines.

Deploying AWS CDK applications can be streamlined with GitHub Actions, saving you time and reducing manual errors. Below, I propose a basic workflow that you can customize to fit your specific needs. This workflow assumes you already have a CDK project set up and want to automate its deployment to your AWS account.

The Workflow File

Create a new file in your repository at .github/workflows/cdk-deploy.yml and paste the YAML configuration that match your codebase.

name: Deploy Python CDK

on:
  push:
    branches: ['main']
  pull_request:
    branches: ['main']

env:
  AWS_REGION: us-east-1
  NODE_VERSION: '24'
  PYTHON_VERSION: '3.12'

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write # Required for OIDC
      contents: read
  
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version: ${{ env.NODE_VERSION }}

      - name: Install AWS CDK CLI
        run: npm install -g aws-cdk

      - name: Install Python dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt

      - name: Configure AWS credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::<ACCOUNT_ID>:role/GithubActionsRole
          aws-region: ${{ env.AWS_REGION }}

      - name: CDK Diff
        run: cdk diff

      - name: CDK Synth
        run: cdk synth

      - name: CDK Deploy
        run: cdk deploy --all --require-approval never
<ACCOUNT_ID> have to be replaced by your AWS account ID.

OIDC Authentication

This workflow uses OpenID Connect (OIDC) to securely authenticate with AWS, eliminating the need for long-lived credentials. If you’re new to OIDC or need help setting it up, I’ve written a dedicated post explaining how to configure the OIDC connection between GitHub and your AWS account.

Testing

The provided workflow does not include any testing steps. For a robust CI/CD pipeline, consider adding unit and integration tests before the deployment job. This ensures your infrastructure changes are validated before being applied.

Production Best Practices

For production environments, it’s recommended to:

  • Pin all versions: Freeze the versions of the CDK, Node.js, Python and GitHub Actions to avoid unexpected updates.
  • Use approvals: For critical stacks, require manual approval before deployment.
  • Environment separation: Deploy to different AWS accounts for staging and production.