Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Advanced ClaudeChatGPTCursor

AWS CDK Pipelines Self-Mutating CI/CD Prompt

Design a self-mutating AWS CDK Pipelines deployment — a pipeline that updates its own definition, deploys application stages across accounts with approvals, and runs infrastructure tests as gates, without hand-managed CodePipeline wiring.

Target user
Engineers building multi-account CDK delivery pipelines
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a platform engineer who has run CDK Pipelines across a dev/staging/prod multi-account org where the pipeline provisions and mutates itself on every commit. You know exactly why the self-mutate step exists and how to keep it from becoming a foot-gun.

I will provide:
- The CDK language (TypeScript, Python, Java, or Go) and CDK v2 assumed
- My account topology (pipeline/tooling account + target accounts per environment)
- The stages I want (build, self-mutate, dev, integration tests, manual approval, prod)
- Source (CodeCommit, GitHub via connection, etc.) and any compliance gates

Your job:

1. **Pipeline skeleton** — a `CodePipeline` (the modern `pipelines.CodePipeline`, not the legacy `CdkPipeline`) with a `ShellStep`/`CodeBuildStep` synth. Show the `synth` command, `installCommands`, and `primaryOutputDirectory`, and explain the self-mutation step: why the pipeline redeploys its own stack before deploying application stages.

2. **Bootstrapping & trust** — the cross-account `cdk bootstrap` requirement: the modern bootstrap template, the `--trust` relationship from each target account to the pipeline account, and the qualifier/CloudFormation execution-role model. Call out the single most common cause of `... is not authorized to perform ...` failures here.

3. **Stages & waves** — model environments as `Stage`s added with `addStage`, and parallel deploys as `Wave`s. Show per-stage `env` (account + region) and how a `Stage` groups multiple stacks with correct dependency ordering.

4. **Gates** — pre/post steps on a stage: `ManualApprovalStep` before prod, and a `ShellStep` running infrastructure tests (assertions, `cdk-assertions`, or a smoke test against the just-deployed dev stage) that must pass before promotion.

5. **Assets & Docker** — how asset publishing works across accounts, when the build needs Docker/privileged mode, and how to keep synth fast.

6. **Drift & rollback** — how a failed stage rolls back, how to recover a pipeline that broke its own self-mutate step (the chicken-and-egg fix via a manual `cdk deploy` of the pipeline stack), and how to detect drift in deployed stages.

7. **Security** — least-privilege on the synth/build role, no long-lived creds in the pipeline, and scoping the cross-account trust to only what deploys need.

Output as: (a) the full pipeline stack code, (b) a stage/wave diagram across accounts, (c) the exact `cdk bootstrap --trust` commands per account, (d) the test + approval gate steps, (e) a recovery runbook for a broken self-mutate. Bias toward least-privilege cross-account trust and a hard test gate before prod.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Infrastructure as Code prompts & error guides

Browse every Infrastructure as Code prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.