AWS CDK Landing Zone

Updating Versions

How to receive landing zone improvements by bumping the @towardsthecloud package versions in your starter repo.

The landing zone foundation and constructs are delivered as versioned packages through AWS CodeArtifact. When Towards The Cloud releases improvements, you receive them by bumping two pinned version numbers in .projenrc.ts and redeploying, with no forking or patching required.

Pinned versions

The two licensed packages are pinned in the towardsTheCloudPackages array in .projenrc.ts; the CDK versions are set on the cdkVersion and cdkCliVersion fields:

PackageCurrent pinWhat it controls
@towardsthecloud/cdk-landing-zone-foundation1.3.2Organization management, GitHub OIDC, StackSet prerequisites
@towardsthecloud/cdk-landing-zone-constructs1.4.222 account-baseline constructs
aws-cdk-lib2.260.0AWS CDK library (set via cdkVersion)
aws-cdk (CLI)2.1128.1CDK CLI (set via cdkCliVersion)

The two licensed packages are excluded from automated dependency upgrades (depsUpgradeOptions.exclude), so you bump them by hand when a release is announced.

Upgrade procedure

  1. Check the release notes: Towards The Cloud communicates breaking changes and migration steps with each release.

  2. Update the version pins in .projenrc.ts:

    const towardsTheCloudPackages = [
  { name: '@towardsthecloud/cdk-landing-zone-constructs', version: '1.4.2' }, // bump here
  { name: '@towardsthecloud/cdk-landing-zone-foundation', version: '1.3.2' }, // and here
];

    For a CDK bump, update cdkVersion and cdkCliVersion in the same file instead.

  3. Regenerate project files and install the new packages:

    pnpm exec projen

    This rewrites package.json, pnpm-lock.yaml, and generated files to match the new pins.

  4. Review the diff: git diff will show which generated files changed. Pay particular attention to changes in .github/workflows/ and any generated npm scripts.

  5. Deploy:

    pnpm run management:deploy

    Or push to main and let the GitHub Actions pipeline deploy.

CodeArtifact token refresh

The pnpm exec projen step runs pnpm install internally, which requires a valid CodeArtifact token. If the install fails with a 401 error:

# Re-assume your management account role, then:
pnpm run setup

pnpm run setup fetches a fresh token and re-runs the install.

Things to know

  • Both packages should be bumped together: cdk-landing-zone-foundation and cdk-landing-zone-constructs are released in tandem and tested against each other at the same version.
  • CDK version bumps (cdkVersion and cdkCliVersion) follow the same pattern. Check the AWS CDK changelog for breaking changes before bumping.
  • Projen re-runs on install: generated files are regenerated automatically when you run pnpm exec projen. Committing the resulting changes to main keeps the repo consistent.
GitHub Actions DeploymentReference