Documentation

Everything you need to connect your AWS account, prepare your CDK project, and deploy infrastructure through Stackform.

Overview

Stackform deploys your AWS CDK projects to any AWS account using short-lived OIDC credentials. There are no long-lived keys, no standing access, and full ownership stays with you.

How it works

Connect

Link your AWS account and Git repository

Configure

Set environment variables and choose a branch

Deploy

One click or auto-deploy on push

Under the hood, Stackform clones your repo, installs dependencies, synthesizes the CDK app, bootstraps the target account, and deploys all stacks. Logs stream in real-time to the Stackform dashboard.

AWS Account Setup

Stackform uses OIDC federation to securely assume a role in your AWS account. No long-lived credentials are stored. This setup is done once per AWS account.

Create the OIDC Identity Provider

Tell AWS to trust Stackform as an identity provider:

bash

aws iam create-open-id-connect-provider \
  --url "https://app.stackform.io" \
  --client-id-list "sts.amazonaws.com" \
  --thumbprint-list "6e389d173df252c45ef9ba108af64e32771901b1"

Save the returned OpenIDConnectProviderArn for the next step.

Create the IAM Role with Trust Policy

Create a file stackform-trust-policy.json:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::YOUR_ACCOUNT_ID:oidc-provider/app.stackform.io"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "app.stackform.io:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

Then create the role:

bash

aws iam create-role \
  --role-name StackformDeployRole \
  --assume-role-policy-document file://stackform-trust-policy.json \
  --description "Allows Stackform to deploy CDK infrastructure"

Attach Deployment Permissions

For development and testing, you can use AdministratorAccess:

bash

aws iam attach-role-policy \
  --role-name StackformDeployRole \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

For production, create a custom policy with only the permissions your CDK stacks need (CloudFormation, S3, Lambda, IAM, etc.).

Provide the Role ARN to Stackform

Copy your role ARN and add it in the Stackform platform when connecting your AWS account:

bash

aws iam get-role --role-name StackformDeployRole \
  --query 'Role.Arn' --output text

The ARN looks like: arn:aws:iam::123456789012:role/StackformDeployRole

Setup via AWS Console

If you prefer the AWS Management Console over the CLI, follow these steps.

Create OIDC Identity Provider

Go to IAM → Identity providers → Add provider
Select OpenID Connect
Provider URL: https://app.stackform.io
Click Get thumbprint
Audience: sts.amazonaws.com
Click Add provider

Create IAM Role

Go to IAM → Roles → Create role
Trusted entity: Web identity
Provider: app.stackform.io, Audience: sts.amazonaws.com
Attach your chosen permissions policy
Name the role StackformDeployRole

Copy Role ARN

Click on the role and copy the ARN from the summary page. Provide it to Stackform along with your preferred AWS region.

CDK Project Requirements

Your CDK project must meet these requirements to deploy through Stackform.

Mandatory files

File	Purpose
cdk.json	Must exist at repo root with a valid "app" entry (e.g. "npx ts-node bin/app.ts")
package.json + lockfile	Lockfile must be committed and in sync. Supports npm, pnpm, yarn, and bun.

Example cdk.json

json

{
  "app": "npx ts-node bin/app.ts"
}

Recommended CDK app pattern

typescript

const app = new cdk.App();

const stackName = process.env.STACK_NAME || "my-default-stack";

new MyStack(app, stackName, {
  env: {
    account: process.env.ACCOUNT_ID || process.env.CDK_DEFAULT_ACCOUNT,
    region: process.env.ACCOUNT_REGION || process.env.CDK_DEFAULT_REGION,
  },
});

Do not hardcode account IDs or regions. Use the environment variables Stackform provides: ACCOUNT_ID, ACCOUNT_REGION, and STACK_NAME.

Package manager support

Lockfile	Package Manager	Install Command
bun.lockb / bun.lock	bun	bun install --frozen-lockfile
pnpm-lock.yaml	pnpm	pnpm install --frozen-lockfile
yarn.lock	yarn	yarn install --immutable
package-lock.json	npm	npm ci

Container runtime limits

Resource	Limit
RAM	4 GB
CPU	2 vCPU (x86_64)
Ephemeral storage	30 GB
Credential lifetime	1 hour
Node.js	22 (LTS)

Multi-stack behavior

Stackform deploys all stacks in the synthesized assembly. You cannot selectively deploy individual stacks. Use CDK Stage constructs or conditional logic to control which stacks are synthesized.

All stacks must target the same AWS account and region. For cross-account deployments, create separate Stackform environments.

Known limitations

No Docker-in-Docker — DockerImageAsset will fail. Pre-build images and reference them by ECR URI.
Node.js only— Python CDK projects are not supported in the current runtime.
No SSM/Secrets Manager at runtime — pass secrets through Stackform environment config.

Environments & Secrets

Configure environment variables and secrets in the Stackform UI. They are injected into your CDK process during synthesis and deployment.

System variables

These are automatically available during synthesis:

Variable	Description
ACCOUNT_ID	Target AWS account ID
ACCOUNT_REGION	Target AWS region
STACK_NAME	Auto-generated CloudFormation stack name

SSM Parameter Store secrets

Prefix a variable value with ssm:// to resolve it from SSM Parameter Store before deployment:

text

DATABASE_URL=ssm:///my-app/prod/database-url

The value is resolved by the deploy-trigger Lambda and injected as a plain-text environment variable. Your CDK code reads it as process.env.DATABASE_URL.

Deploying

Trigger a deployment from the Stackform dashboard or via auto-deploy on Git push.

Deployment flow

INITIALIZINGCLONINGINSTALLINGSYNTHESIZINGBOOTSTRAPPINGDEPLOYINGTAGGINGARCHIVINGCOMPLETED

Each phase streams real-time logs to the Stackform dashboard. Deployments that fail will have CloudFormation automatically roll back the stack.

Deployment statuses

Status	Meaning
PENDING	Deployment created, container launching
SYNTHESIZING	Installing deps and running CDK synthesis
DEPLOYING	CloudFormation stack create/update in progress
COMPLETED	All stacks deployed successfully
FAILED	Error during any phase (check logs)
DESTROYING	Stack deletion in progress
DESTROYED	Stack deleted successfully
ROLLING_BACK	CloudFormation rollback in progress

Auto-Deploy on Git Push

Automatically deploy when code is pushed to a branch. Enable auto-deploy on any environment in the Stackform UI.

How it works

Enable Auto-deploy on an environment and select a branch
Stackform registers a webhook on your GitHub repository
On push to the configured branch, Stackform validates the webhook signature and triggers a deployment
Multiple projects sharing the same repo can each deploy to different AWS accounts

If a deployment is already in progress for a project/environment pair, new webhook triggers are skipped (debouncing).

Example: multi-project setup

text

Repo: github.com/acme/infra

  Project A (Org 1)
    Environment "prod"    (branch: main)    -> AWS 111111111111
    Environment "staging" (branch: develop) -> AWS 111111111111

  Project B (Org 2)
    Environment "prod"    (branch: main)    -> AWS 222222222222

Push to main  -> deploys Project A prod + Project B prod
Push to develop -> deploys Project A staging only

Security

Every webhook payload is validated with SHA-256 HMAC
Timing-safe comparison prevents timing attacks
Each organization has its own webhook secret

Redeploy & Rollback

Redeploy from a previously successful deployment without cloning or rebuilding. Useful for fixing drift, retrying, or rolling back to a known-good state.

How redeploy works

Every successful deployment archives its cdk.out to S3
Redeploy downloads the stored assembly and deploys it directly — no clone, install, or synthesis
The engine is automatically selected based on the original deployment duration

INITIALIZINGDOWNLOADINGBOOTSTRAPPINGDEPLOYINGTAGGINGCOMPLETED

CloudFormation handles automatic rollback on failure. If a deployment fails mid-way, the stack reverts to its previous state. The CDK Toolkit detects paused failure states and auto-rolls back on the next deploy.

Troubleshooting

Pre-deployment Checklist

Project Structure

cdk.json exists at repository root with a valid app entry
app command uses npx or references a local dependency
Lockfile is committed and in sync with package.json
cdk.context.json is committed (if using context lookups)

CDK Code

Account/region read from environment variables, not hardcoded
No DockerImageAsset (no Docker-in-Docker)
All stacks target the same account and region
No interactive prompts during synthesis
Stack names accept STACK_NAME env var

Environment & Secrets

All required env vars defined in Stackform environment config
Secrets referenced with ssm:// prefix
No direct SSM/Secrets Manager calls at synthesis time

Target Account

IAM role exists and trusts Stackform OIDC provider
Role has sufficient permissions for all resources
No SCPs blocking CloudFormation or CDK bootstrap

Need help?

Get in touch