AWS CDK (Advanced)
NestForge Pro includes full AWS CDK infrastructure-as-code for production deployments. This is the advanced path -- use it when you need autoscaling, managed databases, and enterprise-grade monitoring.
Prerequisites
- An AWS account with admin permissions
- AWS CLI installed and configured (
aws configure) - CDK bootstrapped in your target region:
npx cdk bootstrap aws://ACCOUNT_ID/ap-south-1
- Node.js 20+
Stacks overview
NestForge deploys six interconnected stacks. The entry point is infra/bin/app.ts.
| Stack | Resource | Description |
|---|---|---|
| VPC | VPC, subnets, NAT Gateway | Network foundation with public/private subnets |
| Database | RDS PostgreSQL 16 | Managed Postgres with automated backups |
| Cache | ElastiCache Redis | Managed Redis for BullMQ and session caching |
| API | ECS Fargate + ALB | Containerized NestJS API with load balancer |
| Storage | S3 + CloudFront | Static asset hosting and file uploads |
| Monitoring | CloudWatch Alarms | CPU, memory, 5xx rate, database connection alerts |
The stacks are wired together automatically -- the API stack receives database and Redis connection strings, the monitoring stack watches the API service and database instance.
Deploy
1. Install CDK dependencies
cd infra
npm install
2. Choose your stage
NestForge uses a stage context variable to namespace all resources. Default is staging.
# Staging
npx cdk deploy --all -c stage=staging
# Production
npx cdk deploy --all -c stage=production
3. Set environment variables
After the first deploy, configure secrets in AWS Systems Manager Parameter Store or via the ECS task definition. Required variables:
JWT_SECRET,JWT_REFRESH_SECRETSTRIPE_SECRET_KEY,STRIPE_WEBHOOK_SECRETRESEND_API_KEYAPP_URL,API_URL
4. Run migrations
Connect to the database via a bastion host or SSM Session Manager and run:
cd apps/api && npx prisma migrate deploy
CI/CD pipeline
NestForge includes a GitHub Actions workflow at .github/workflows/deploy.yml that automates the full deployment:
- Builds the API Docker image
- Pushes to Amazon ECR (
nestforge-api) - Runs Prisma migrations against the target database
- Triggers an ECS service update with the new image
- Waits for service stability (up to 10 minutes)
- Builds the web app and syncs to S3
- Invalidates the CloudFront cache
The workflow is triggered manually via workflow_dispatch and accepts a staging or production environment selector.
Frontend deployment
The deploy workflow handles this automatically. The web app is built with:
npx turbo build --filter=@repo/web
Static assets are synced to an S3 bucket with aggressive caching (max-age=31536000, immutable), except index.html which uses max-age=0, must-revalidate. A CloudFront invalidation runs after each deploy.
Cost estimate
Monthly costs vary by configuration. Rough estimates for a single-region deployment:
| Component | Estimated monthly cost |
|---|---|
| ECS Fargate (0.5 vCPU, 1GB) | $15-30 |
| RDS PostgreSQL (db.t4g.micro) | $15-25 |
| ElastiCache Redis (cache.t4g.micro) | $12-20 |
| NAT Gateway | $35-45 |
| ALB | $20-25 |
| S3 + CloudFront | $1-5 |
| CloudWatch | $0-5 |
| Total | $100-155 |
Scaling up to production-grade instances (db.t4g.small, larger Fargate tasks, multi-AZ) will increase costs to $200-300/month. The NAT Gateway is the single largest fixed cost -- consider NAT instances for development environments.
Tear down
To destroy all resources for a stage:
npx cdk destroy --all -c stage=staging