How to run CDK CloudASM from a ZIP

For all my funsies projects (except the Rust ones), I use pantsbuild to build and deploy my code. It’s a great tool, and but its separation between artifacts requires that CDK code be run during the build step.

Artifacts that contain multiple files to be output in the pants package need to be archives. For my use case, I have a single Python file that builds every CDK stack and merges them into a single Cloud Assembly. For example, here is a simplified build file:

# take the CDK python script and package it into a PEX file
python_source(name="stacks", source="bin/build-stacks.py", dependencies=["//project1:stacks", "//project2:stacks"])
pex_binary(
    name="cdkapp",
    dependencies=[":stacks"],
    venv_site_packages_copies=True,
    execution_mode="venv",
    entry_point="bin/build-stacks.py",
)

# run the earlier pex file to build the CloudASM
shell_command(
    # build cloud assembly zip given the cdk.json and stack objects
    name="cdk",
    tools=["node", "python3.10"],
    command="./cdkapp.pex .",
    execution_dependencies=[":cdkapp"],
    output_files=[
        "*.assets.json",
        "asset.*",
        "*.template.json",
        "cdk.out",
        "manifest.json",
        "tree.json",
    ],
    output_directories=[
        "asset.*",
    ],
)
# zip the CloudASM into a package artifact
archive(name="cloudasm", format="zip", files=[":cdk"])

This will create a dist/cloudasm.zip file that contains all the files needed to deploy the CDK stacks. The CDK CLI can deploy CloudASM without running any of your application code. By default, the tree of templates and artifacts (Lambda zips, etc) are stored in the cdk.out directory. Usually CloudASM is used like this:

cdk deploy --app cdk.out Project1

This reads the already-rendered template without re-running your CDK code. However, because we have the CloudASM in a zip file that doesn’t quite work. We need to extract the CloudASM from the zip file and then run the cdk command. Here’s a simple bash script that does that:

#!/usr/bin/env bash
set -euo pipefail

if [[ ! -f "${1}" ]] ; then
  echo "Could not find cloudassembly zip '${1}'"
  exit 1
fi

DIR=$(mktemp -d -t cloudasm)

unzip -q -d "${DIR}" "${1}" 1>&2

echo "${DIR}"

With this script in build-support, we can run the CDK command like this:

cdk deploy -a "$(build-support/inline-cloudassembly.sh ./dist/whatever.zip)/sub/path"

The same script is also useful if you’ve got approval steps in your deployment pipeline, or want to keep artifacts to enable rollbacks. If you have a pipeline that doesn’t save artifacts it’s worth considering adding a step to have a history of past deploys for troubleshooting.

Ryan Scott Brown

How to run CDK CloudASM from a ZIP