Deployment Order
Deployment Order
The cdk-express-pipeline is utilized to create Waves and Stages, enabling the controlled deployment of resources. This enables deployments from any build systems, like GitHub, GitLab, Jenkins, and even local environments.
Internally, the DLZ creates phases
, which is a collection of waves
. Each phase
typically consists of a
global
wave
and optionally one or more regional
waves
which are deployed sequentially. Waves contains stages
which are groupings of stacks
deployed in parallel. For the DLZ the stage
and dependencies between stacks
within
the same stage
are of little importance as we rely on waves
only.
The regions are defined in the config
, you can only have a single Global region and optionally one or more Regions.
To recap:
Phase
- A collection ofWaves
, this is a logical grouping only, and not implemented in code. Deployed sequentially, one after the other.Wave
- A collection ofStages
. Deployed sequentially, one after the other.Stage
- A collection ofStacks
. Deployed in parallel.Stack
- A collection ofAWS resources
. Deployed in parallel when possible as determined by stack dependencies within theStage
.
General structure
Conceptually the DLZ deployment order has the following structure:
A brief description of the resources deployed in each phase:
- Root Phase - Deploys to the
root
account, resources like the Organisationβs SCPs, and IAM Identity Center resources etc. - Security OU - Audit Phase - Deploys to the
audit
account, resources like SecurityHub and Chatbot notifications. - Workload OU - Base Phase - Deploys to each account specified under workloads. IAM roles, which is a global service, would for example be deployed in the Global wave. While resources such as a VPCs will be deployed in both the Global and the Regional wave as per configuration. The majority of the services are deployed in this phase.
- Workload OU - NCP1 + NCP2 + NCP3 Phases - NCP stands for Network Connections Phase, these phases are logically numbered to indicate the order of deployment to control dependencies between accounts and regions. It will deploy resources related to networking that require multiple steps, like VPC Peering. For example, for VPC Peering to work, NCP1 defines the peering roles. NCP2 creates the peering connections, knowing that it can use the cross account roles in all accounts. NCP3 creates the route table entries to allow traffic to flow between the VPCs knowing the VPC peering connections have been established.
- Workload OU - DSP1 Phase - DSP is the abbreviation for Data Services Phase, this phase deploys resources like Lake Formation, etc.
Stacks
The printing of the deployment order can be controlled with the printDeploymentOrder
flag. When set, the deployment
order will be printed as shown below. This flag is set by default.
Given two workload accounts, development
and production
:
Running cdk diff "**"
will produce the following console output:
DLZ is only using Waves and not Stages to control dependency, so letβs break this down into the βPhasesβ of deployment and focus on the stacks (removing the stages) that are deployed in each phase.
Each stack is identified by the π
symbol, and has the following format:
<stack-name>
- The name of the stack as seen in the AWS Console<stack-id>
- The unique identifier of the stack that we use to target for CDK commands like diff, deploy, destroy etc.
Root Phase
Security OU - Audit Phase
Workload OU - Base Phase
Workload OU - NCP1 Phase
Workload OU - NCP2 Phase
Workload OU - NCP3 Phase
Workload OU - DSP1 Phase
Stacks patterns
The DLZ uses stack IDs to enable precise targeting of specific stacks, allowing for controlled and efficient deployments. Below are some commonly used patterns that can be applied with the CDK command:
**
- Target all stacksroot--*
- Target all stacks in the root phasesecurity--*
- Target all stacks in the security phaseworkloads--*
- Target all workload stacks in all phasesworkloads--base--*
- Target all workload stacks of the base phaseworkloads--ncp*
- Target all workload stacks of all the NCP phasesworkloads--ncp1--*
- Target all workload stacks of the NCP1 phaseworkloads--ncp2--*
- Target all workload stacks of the NCP2 phaseworkloads--ncp3--*
- Target all workload stacks of the NCP3 phaseworkloads--dsp1--*
- Target all workload stacks of the DSP1 phase
Stacks can be targeted by global/regional waves as well, for example:
workloads--base--global_*
- Target all workload global stacks in the base phaseworkloads--base--regional_*
- Target all workload regional stacks in the base phase
They can also be targeted by account type, for example:
*_*--development_*
- Target all stacks in the workload phase of typedevelopment
(specified in the config bytype: DlzAccountType.DEVELOP
)*_*--production_*
- Target all stacks in the workload phase of typeproduction
(specified in the config bytype: DlzAccountType.PRODUCTION
)
Basic deployment
The basic version deploys all the stacks of the DLZ as defined by the deployment order.
Advanced deployment
The advance deployment deploys the phases individually, allowing for manual approval steps between the deployment of
the development
and production
accounts in the workload OU.