Overview
Infrastructure-as-code for a multi-account AWS environment. Covers everything from organization governance to serverless site hosting, with all resources defined in CDK and TypeScript.
Components
- AWS Organization with
ALLfeatures — portfolio-dev and portfolio-prod OUs - IAM Identity Center (SSO) — centralized access with per-account permission sets
- Service Control Policies — region restriction and root account denial across all member accounts
- DNS Management — root zone in management account, subdomain zones delegated to child accounts
- Certificate Management — wildcard ACM certificates for root and subdomain zones, validated via DNS
- Billing Alerts — CloudWatch alarms at configurable USD thresholds with email notifications
- Account Factory — standardized member account provisioning into OUs
- Portfolio Hosting — serverless SSR deployment with CloudFront, Lambda, and S3
Reusable Constructs
The @dawalnut/infra package exports three constructs designed for multi-account AWS setups:
- DnsZone — Public hosted zone with auto-exported zone ID and NS records
- CrossAccountDnsRole — IAM role scoped to a specific hosted zone, assumable by a member account
- SsrSite — Full serverless site deployment: CloudFront → API Gateway → Lambda for dynamic content, CloudFront → S3 for static assets
Key Patterns
- Zod config validation — all CDK context values are parsed through Zod schemas at synth time, catching misconfigurations before deployment
- Delegated DNS — child accounts own their subdomain zones and register NS delegation in the root zone via cross-account roles
- Cross-region certificates — CDK native
crossRegionReferenceswith a dedicated certificate stack in us-east-1 for CloudFront - Environment isolation — separate accounts per environment with SCPs enforcing guardrails