3 min read

Deploy to AWS with GitHub Actions and AWS CDK

CDKServerlessPython
Share:
Deploy to AWS with GitHub Actions and AWS CDK
Ran Isenberg
Written by

Ran Isenberg

Builder

AWS Serverless Hero & Principal Cloud Architect at Palo Alto Networks

Passionate about AI, Serverless, Platform Engineering and helping organizations build reliable & scalable systems on AWS.

This blog explains how you can use AWS CDK to deploy to your AWS account using GitHub Actions CI/CD pipeline.

Feel free to use the code snippets as you please.

Click here and here to view a fully working GitHub AWS Serverless service template that uses the same snippet.

Update January 2024

This complete CI/CD file has been revised and updated with newer versions and multiple environments: deployments to dev, staging and production accounts:

  • Dev & PR CI/CD

  • Staging and production

    • TL;DR Video

    This blog post is available as a video.

    Going Over The Job Steps

    Let's go over the CI/CD pipeline steps:

  • Environment setup

  • AWS account setup

  • Run linters & unit tests

  • Deploy stack

  • Run E2E tests

  • Destroy stack (for dev stack only)

    • Environment Setup

    Python & Node Setup

    This snippet will setup Python 3.9 and Node v16 in the CI/CD runner.

    ### Setup AWS CDK

    It's recommended to use latest pip and AWS CDK version.

    In line 4, you should install your Python dependencies with either pip, pipenv, or poetry, depending on your weapon of choice to manage Python dependencies.

    These dependencies include development dependencies (pytest, linters, etc.) and service runtime dependencies.

    Setup AWS Secrets

    You must set up GitHub's repository secrets for this snippet to work.

    Under Settings/Secrets/Actions, add 'AWS\_SECRET\_KEY' and 'AWS\_ACCESS\_KEY'.

    These secrets are used in a predefined IAM role you created for your CI/CD process.

    This is a simple example; however, for security reasons, it is best to use an SSO solution (out of the scope of this guide).

    Image 2

    The yaml config:

    In line 7, choose your AWS region of choice.

    Linters & Unit Tests

    Right before deployment, it is recommended to run linters such as:

  • pylint/flake8

  • pre-commit checks

  • yapf/black

  • Code complexity checks (radon/xenon)

    • See the linters example and configuration at my GitHub template here and the makefile that runs the linters commands here.

    Once the linters finish, run unit tests as a first service logic gate.

    Deploy Time

    In line3, you must set the correct path to your CDK 'app.py' file.

    I usually put all the CDK project files in a 'cdk' folder instead of the root project path.

    E2E Tests

    Once deployment is completed, you should run your E2E tests and make sure your service runs properly on AWS. You can use pytest to create REST API requests or other triggers to test your deployed service.

    Destroy Stack

    This step is relevant only for local stack or pull requests where you want to destroy the stack in the end.

    As in the deployment stage, make sure set the correct path to your CDK 'app.py' file.

    The Full Flow

    ##

    Need help with AWS Serverless or Platform Engineering?

    Book a consultation to discuss your architecture challenges.

    Book Consultation

    Related Articles

    Share this article

    Secrets Manager vs. Parameter Store: Which One Should You Really Use?
    Sep 8, 20255 min read

    Secrets Manager vs. Parameter Store: Which One Should You Really Use?

    Choosing between AWS Secrets Manager and SSM Parameter Store isn’t always straightforward. This guide breaks down the key differences in cost, secret rotation, versioning, encryption, IaC support, and more—helping you decide which service fits your use case. Whether you're managing sensitive credentials or sharing configuration across environments, you'll walk away with a clear, practical recommendation backed by real-world experience.

    Serverless MCP on AWS: Lambda vs. Fargate for Agentic AI Workloads
    Jul 16, 202516 min read

    Serverless MCP on AWS: Lambda vs. Fargate for Agentic AI Workloads

    Building agentic AI requires more than prompts—it needs secure, structured access to your systems. This post explores three ways to deploy a production-grade MCP server on AWS: Lambda with Web Adapter, Pure Lambda, and AWS Fargate. Compare performance, cost, observability, and DevEx tradeoffs, and access ready-to-use CDK templates. Ideal for teams bringing agentic AI into real-world applications on AWS.

    14 AWS Lambda Security Best Practices to Secure Your Serverless Applications
    Jul 9, 202511 min read

    14 AWS Lambda Security Best Practices to Secure Your Serverless Applications

    AWS Lambda makes it easy to build serverless apps—but security is often an afterthought. This post covers 14 real-world Lambda security best practices, from input validation, secret management, and least-privileged IAM to tenant isolation and safe logging. Backed by years of hands-on experience and aligned with OWASP Serverless Top 10, it includes a downloadable checklist to help you secure your functions from day one.