Skip to content

Migrate cdktf to cdktn#1603

Open
MarcAstr0 wants to merge 4 commits into
boostercloud:mainfrom
Optum:chore/migrate-cdktf-to-cdktn
Open

Migrate cdktf to cdktn#1603
MarcAstr0 wants to merge 4 commits into
boostercloud:mainfrom
Optum:chore/migrate-cdktf-to-cdktn

Conversation

@MarcAstr0

@MarcAstr0 MarcAstr0 commented May 5, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

As of December 10, 2025, CDK for Terraform (cdktf) has been deprecated and is no longer maintained, leaving unpatched downstream vulnerabilities in the chain. CDK Terrain (cdktn) is an actively maintained community fork (forked from cdktf 0.21.0, our exact version) with full API compatibility. This PR migrates Booster's infrastructure packages from cdktf to cdktn and refreshes related security-sensitive dependencies.

Changes

  • Replaces all cdktf / @cdktf/* dependencies with cdktn / @cdktn/* in framework-provider-azure-infrastructure and framework-integration-tests.
  • Updates all cdktf imports in the Azure infrastructure code to cdktn (~27 source files).
  • Bumps cdktn to the latest available versions (cdktn 0.23.3, @cdktn/provider-azurerm 16.4.0, @cdktn/provider-null 13.1.0, @cdktn/provider-time 13.1.0).
  • Bumps the Effect ecosystem within the safe @effect/platform-node < 0.76 ceiling (effect 3.13.2 → 3.21.3, plus @effect/platform, @effect/platform-node, @effect/cli, @effect/printer*, @effect/typeclass to their latest in-range patches).
  • Bumps uuid 11.0.5 → 11.1.1 in framework-types and framework-provider-azure-infrastructure.
  • Adds security overrides in common/config/rush/.pnpmfile.cjs (shell-quote, tar, serialize-javascript, flatted, minimatch, brace-expansion, ws, nanoid, js-yaml, yaml, follow-redirects, undici) to address remaining HIGH/CRITICAL transitives.

Checks

  • Project Builds
  • Project passes tests and checks
  • Updated documentation accordingly

Castro, Mario and others added 3 commits May 5, 2026 15:15
@claude @MarcAstr0
Migrate from cdktf to cdktn (CDK Terrain)
eca01b6 
cdktf was sunsetted by HashiCorp in Dec 2025 and is no longer maintained.
CDK Terrain (cdktn) is a community fork from cdktf 0.21.0 with active
maintenance. This migration replaces all cdktf dependencies and imports
with their cdktn equivalents, eliminating the archived dependency chain.

- Replace cdktf 0.21.0 with cdktn 0.22.1
- Replace cdktf-cli 0.21.0 with cdktn-cli 0.22.1
- Replace @cdktf/provider-azurerm 14.23.1 with @cdktn/provider-azurerm 15.11.0
- Replace @cdktf/provider-null 11.0.1 with @cdktn/provider-null 12.0.0
- Replace @cdktf/provider-time 11.0.1 with @cdktn/provider-time 12.0.0
- Update all source imports across 27 files
- Update CLI invocation from cdktf-cli to cdktn-cli

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude @MarcAstr0
Bump Effect ecosystem to fix 5 HIGH vulnerabilities in Azure path
117e905 
Upgrades Effect packages to resolve production-facing security issues:
- effect 3.13.2 → 3.20.0 (fixes AsyncLocalStorage context contamination)
- @effect/platform 0.77.2 → 0.79.4
- @effect/platform-node 0.73.2 → 0.75.0 (last version before rpc/sql/cluster peer deps)
- @effect/cli 0.56.2 → 0.58.0
- @effect/printer 0.41.2 → 0.41.9
- @effect/printer-ansi 0.41.2 → 0.41.9
- @effect/typeclass 0.32.2 → 0.32.9

Adds pnpm security override for undici >= 7.24.0 to patch 3 WebSocket
vulnerabilities (overflow, unbounded memory, unhandled exception).

Resolves: GHSA-38f7 (effect), GHSA-f269/GHSA-vrm6/GHSA-v9p9 (undici),
GHSA-c2c7 (picomatch). Total audit: 90 → 25 vulns, 0 Azure-path HIGHs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add rush change file
89055ff
@MarcAstr0 MarcAstr0 added the do not merge This PR can be approved, but not merged yet label May 5, 2026
@what-the-diff

what-the-diff Bot commented May 5, 2026

Copy link
Copy Markdown

PR Summary

  • Integration of the New Package cdktn in place of cdktf
    This PR includes the replacement of the cdktf package with the new cdktn package in the @boostercloud/framework-core system. This not only includes the addition of a new JSON file documenting this migration, but also modifications to multiple import statements within the codebase, particularly within the framework-provider-azure-infrastructure package. This change increases the adaptability and efficiency of the system.

  • Updated Dependency Versions
    Numerous dependency versions within the framework-core and framework-integration-tests have been updated. These include new versions of effect, @effect/platform, @effect/cli, @effect/printer, @effect/typeclass, and @effect/platform-node. Such updates ensure higher performance, improved stability and additional features in the application.

  • New Security Override for the undici Package
    The .pnpmfile.cjs configuration received a security upgrade with the introduction of a new security override for the undici package. This upgrade enhances the security of the application, protecting it from potential vulnerabilities.

  • Updated Logging Messages Reflecting Recent Changes
    With the transition to cdktn, logging messages have been adjusted to correctly represent the new deployment process, thereby enhancing the overall transparency and user-friendliness of the system.

  • Updated @effect Libraries Versions
    Several @effect libraries have been updated, including effect, @effect/cli, @effect/platform, @effect/printer, @effect/printer-ansi, and @effect/typeclass. These updates ensure the system remains up-to-date with the latest improvements in these libraries, thereby promoting better functionality and user experience.

@MarcAstr0

MarcAstr0 commented May 5, 2026

Copy link
Copy Markdown
Collaborator Author

/integration sha=89055ff

@github-actions

github-actions Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

⌛ Integration tests are running...

Check their status here 👈

@github-actions

github-actions Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

✅ Integration tests have finished successfully!

@MarcAstr0 @claude
Refresh deps: bump cdktn 0.23, Effect patches, +11 security overrides
3b14e9d 
Eliminates the new shell-quote critical (GHSA-58qx-3vcg-4xpx) and reduces
total vulns 35->21 (0 critical, 10 high). All 398 tests passing across
framework-types, -core, -provider-azure, and -provider-azure-infrastructure.

- cdktn 0.22.1 -> 0.23.3 (providers azurerm v15->v16, null/time v12->v13)
- Effect ecosystem patch bumps within @effect/platform-node <0.76 ceiling
  (effect 3.20.0->3.21.3, @effect/cli, @effect/printer*, @effect/typeclass,
  @effect/platform-node 0.75.0->0.75.4)
- uuid 11.0.5 -> 11.1.1
- .pnpmfile.cjs: add overrides for shell-quote, tar, serialize-javascript,
  flatted, minimatch, brace-expansion, ws, nanoid, js-yaml, yaml,
  follow-redirects; tighten qs >=6.15.2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MarcAstr0

MarcAstr0 commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator Author

/integration sha=3b14e9d

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

⌛ Integration tests are running...

Check their status here 👈

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

✅ Integration tests have finished successfully!

@MarcAstr0 MarcAstr0 changed the title Chore/migrate cdktf to cdktn Migrate cdktf to cdktn Jun 10, 2026
@MarcAstr0 MarcAstr0 removed the do not merge This PR can be approved, but not merged yet label Jun 10, 2026
@MarcAstr0 MarcAstr0 marked this pull request as ready for review June 10, 2026 12:56
@MarcAstr0 MarcAstr0 requested review from a team and Copilot June 10, 2026 12:56
Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates Booster’s Azure infrastructure and integration-test tooling from deprecated CDK for Terraform (cdktf) to the actively maintained community fork CDK Terrain (cdktn), while also refreshing several security-sensitive dependencies and applying PNPM security overrides.

Changes:

  • Replaces cdktf / @cdktf/* dependencies and imports with cdktn / @cdktn/* across the Azure infrastructure synthesis/deploy code.
  • Updates Effect ecosystem and uuid versions in multiple packages.
  • Extends Rush/PNPM .pnpmfile.cjs security overrides to force safer transitive dependency ranges.

Reviewed changes

Copilot reviewed 34 out of 35 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
packages/framework-types/package.json Bumps uuid and several effect/@effect/* deps.
packages/framework-provider-azure-infrastructure/src/infrastructure/types/application-synth-stack.ts Switches provider and CDK imports from cdktf to cdktn.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/web-pubsub-extension-key/terraform-sleep.ts Migrates TerraformStack/dependable and time-provider imports to cdktn.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/web-pubsub-extension-key/terraform-function-app-data.ts Migrates AzureRM/time provider imports to cdktn.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-web-pubsub.ts Switches AzureRM resource import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-web-pubsub-hub.ts Switches AzureRM hub import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-web-pub-sub-extension-key.ts Switches host-keys data source import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-storage-account.ts Switches storage account import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-service-plan.ts Switches service plan import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-resource-group.ts Switches resource group import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-outputs.ts Switches TerraformOutput import to cdktn.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-function-app.ts Switches function app resource/config imports to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-function-app-settings.ts Switches storage account import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-event-hub.ts Switches Event Hub resource import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-event-hub-namespace.ts Switches Event Hub namespace import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-cosmosdb-sql-database.ts Switches CosmosDB SQL DB import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-cosmosdb-database.ts Switches CosmosDB account import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-containers.ts Switches TerraformStack and AzureRM/provider imports to cdktn.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-virtual-network.ts Switches VNet import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-subnet.ts Switches subnet import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-subnet-security.ts Switches subnet NSG association import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-public-ip.ts Switches public IP import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-public-ip-data.ts Switches public IP data source import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-network-security-group.ts Switches NSG import to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-application-gateway.ts Switches App Gateway imports to @cdktn/provider-azurerm.
packages/framework-provider-azure-infrastructure/src/infrastructure/synth/application-synth.ts Switches TerraformStack and AzureRM provider/resource imports to cdktn.
packages/framework-provider-azure-infrastructure/src/infrastructure/index.ts Updates deploy command to cdktn-cli and adjusts deploy failure messaging.
packages/framework-provider-azure-infrastructure/src/infrastructure/azure-stack.ts Switches Fn/TerraformStack imports from cdktf to cdktn.
packages/framework-provider-azure-infrastructure/src/infrastructure/application-builder.ts Switches CDK app import to cdktn and updates synth-generation log message.
packages/framework-provider-azure-infrastructure/package.json Replaces cdktf* deps with cdktn* deps and bumps uuid.
packages/framework-integration-tests/package.json Replaces cdktf* deps with cdktn* deps and bumps Effect platform deps.
packages/framework-core/package.json Bumps Effect ecosystem dependencies.
common/config/rush/.pnpmfile.cjs Adds/updates security override ranges for multiple vulnerable transitives.
common/changes/@boostercloud/framework-core/chore-migrate-cdktf-to-cdktn_2026-05-05-20-03.json Adds a changeset entry documenting the migration as a patch release.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/framework-provider-azure-infrastructure/src/infrastructure/index.ts
Comment on lines 44 to 48
try {
await runCommand(process.cwd(), 'npx cdktf-cli deploy --auto-approve --ignore-missing-stack-dependencies')
await runCommand(process.cwd(), 'npx cdktn-cli deploy --auto-approve --ignore-missing-stack-dependencies')
} catch (error) {
return Promise.reject(`Deployment of application ${config.appName} failed. Check cdktf logs. \n${error.message}}`)
return Promise.reject(`Deployment of application ${config.appName} failed. Check Terraform logs. \n${error.message}}`)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MarcAstr0