Migrate cdktf to cdktn#1603
Conversation
cdktf was sunsetted by HashiCorp in Dec 2025 and is no longer maintained. CDK Terrain (cdktn) is a community fork from cdktf 0.21.0 with active maintenance. This migration replaces all cdktf dependencies and imports with their cdktn equivalents, eliminating the archived dependency chain. - Replace cdktf 0.21.0 with cdktn 0.22.1 - Replace cdktf-cli 0.21.0 with cdktn-cli 0.22.1 - Replace @cdktf/provider-azurerm 14.23.1 with @cdktn/provider-azurerm 15.11.0 - Replace @cdktf/provider-null 11.0.1 with @cdktn/provider-null 12.0.0 - Replace @cdktf/provider-time 11.0.1 with @cdktn/provider-time 12.0.0 - Update all source imports across 27 files - Update CLI invocation from cdktf-cli to cdktn-cli Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Upgrades Effect packages to resolve production-facing security issues: - effect 3.13.2 → 3.20.0 (fixes AsyncLocalStorage context contamination) - @effect/platform 0.77.2 → 0.79.4 - @effect/platform-node 0.73.2 → 0.75.0 (last version before rpc/sql/cluster peer deps) - @effect/cli 0.56.2 → 0.58.0 - @effect/printer 0.41.2 → 0.41.9 - @effect/printer-ansi 0.41.2 → 0.41.9 - @effect/typeclass 0.32.2 → 0.32.9 Adds pnpm security override for undici >= 7.24.0 to patch 3 WebSocket vulnerabilities (overflow, unbounded memory, unhandled exception). Resolves: GHSA-38f7 (effect), GHSA-f269/GHSA-vrm6/GHSA-v9p9 (undici), GHSA-c2c7 (picomatch). Total audit: 90 → 25 vulns, 0 Azure-path HIGHs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PR Summary
|
|
/integration sha=89055ff |
|
⌛ Integration tests are running... Check their status here 👈 |
|
✅ Integration tests have finished successfully! |
Eliminates the new shell-quote critical (GHSA-58qx-3vcg-4xpx) and reduces total vulns 35->21 (0 critical, 10 high). All 398 tests passing across framework-types, -core, -provider-azure, and -provider-azure-infrastructure. - cdktn 0.22.1 -> 0.23.3 (providers azurerm v15->v16, null/time v12->v13) - Effect ecosystem patch bumps within @effect/platform-node <0.76 ceiling (effect 3.20.0->3.21.3, @effect/cli, @effect/printer*, @effect/typeclass, @effect/platform-node 0.75.0->0.75.4) - uuid 11.0.5 -> 11.1.1 - .pnpmfile.cjs: add overrides for shell-quote, tar, serialize-javascript, flatted, minimatch, brace-expansion, ws, nanoid, js-yaml, yaml, follow-redirects; tighten qs >=6.15.2 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
/integration sha=3b14e9d |
|
⌛ Integration tests are running... Check their status here 👈 |
|
✅ Integration tests have finished successfully! |
There was a problem hiding this comment.
Pull request overview
This PR migrates Booster’s Azure infrastructure and integration-test tooling from deprecated CDK for Terraform (cdktf) to the actively maintained community fork CDK Terrain (cdktn), while also refreshing several security-sensitive dependencies and applying PNPM security overrides.
Changes:
- Replaces
cdktf/@cdktf/*dependencies and imports withcdktn/@cdktn/*across the Azure infrastructure synthesis/deploy code. - Updates Effect ecosystem and
uuidversions in multiple packages. - Extends Rush/PNPM
.pnpmfile.cjssecurity overrides to force safer transitive dependency ranges.
Reviewed changes
Copilot reviewed 34 out of 35 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| packages/framework-types/package.json | Bumps uuid and several effect/@effect/* deps. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/types/application-synth-stack.ts | Switches provider and CDK imports from cdktf to cdktn. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/web-pubsub-extension-key/terraform-sleep.ts | Migrates TerraformStack/dependable and time-provider imports to cdktn. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/web-pubsub-extension-key/terraform-function-app-data.ts | Migrates AzureRM/time provider imports to cdktn. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-web-pubsub.ts | Switches AzureRM resource import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-web-pubsub-hub.ts | Switches AzureRM hub import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-web-pub-sub-extension-key.ts | Switches host-keys data source import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-storage-account.ts | Switches storage account import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-service-plan.ts | Switches service plan import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-resource-group.ts | Switches resource group import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-outputs.ts | Switches TerraformOutput import to cdktn. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-function-app.ts | Switches function app resource/config imports to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-function-app-settings.ts | Switches storage account import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-event-hub.ts | Switches Event Hub resource import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-event-hub-namespace.ts | Switches Event Hub namespace import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-cosmosdb-sql-database.ts | Switches CosmosDB SQL DB import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-cosmosdb-database.ts | Switches CosmosDB account import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/terraform-containers.ts | Switches TerraformStack and AzureRM/provider imports to cdktn. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-virtual-network.ts | Switches VNet import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-subnet.ts | Switches subnet import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-subnet-security.ts | Switches subnet NSG association import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-public-ip.ts | Switches public IP import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-public-ip-data.ts | Switches public IP data source import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-network-security-group.ts | Switches NSG import to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/gateway/terraform-application-gateway.ts | Switches App Gateway imports to @cdktn/provider-azurerm. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/synth/application-synth.ts | Switches TerraformStack and AzureRM provider/resource imports to cdktn. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/index.ts | Updates deploy command to cdktn-cli and adjusts deploy failure messaging. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/azure-stack.ts | Switches Fn/TerraformStack imports from cdktf to cdktn. |
| packages/framework-provider-azure-infrastructure/src/infrastructure/application-builder.ts | Switches CDK app import to cdktn and updates synth-generation log message. |
| packages/framework-provider-azure-infrastructure/package.json | Replaces cdktf* deps with cdktn* deps and bumps uuid. |
| packages/framework-integration-tests/package.json | Replaces cdktf* deps with cdktn* deps and bumps Effect platform deps. |
| packages/framework-core/package.json | Bumps Effect ecosystem dependencies. |
| common/config/rush/.pnpmfile.cjs | Adds/updates security override ranges for multiple vulnerable transitives. |
| common/changes/@boostercloud/framework-core/chore-migrate-cdktf-to-cdktn_2026-05-05-20-03.json | Adds a changeset entry documenting the migration as a patch release. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alvaroloes
left a comment
alvaroloes
left a comment
There was a problem hiding this comment.
Thanks for taking on the cdktn migration. I found one release/security issue that should be fixed before merging: some vulnerabilities are only corrected by the Rush pnpmfile/lockfile rewrite, while the published package manifests still declare the old exact direct dependency versions. Consumers installing the published Booster packages will not run this repo's pnpmfile, so those direct dependency fixes will not reach them.
I also saw the existing unresolved Copilot inline thread in packages/framework-provider-azure-infrastructure/src/infrastructure/index.ts around the catch block using error.message plus the extra } in the rejection string; I did not duplicate that comment, but it still looks actionable.
alvaroloes
left a comment
alvaroloes
left a comment
There was a problem hiding this comment.
Second-pass note after a deeper review:
- The direct-dependency security issue from my previous inline comment is broader than the examples I listed there. Besides
framework-core,framework-types, andframework-provider-aws-infrastructure, the PR branch still has exact oldws: 8.18.0declarations inapplication-tester,framework-integration-tests, andframework-provider-local. If the goal is to ship the security fixes to published/installed packages, those direct manifests should be bumped too, not only rewritten by Rush's pnpmfile in this repo. - The Azure synth docs still tell users they can deploy the generated output with
cdktf, while this PR removescdktf/cdktf-cliand the deploy path now usescdktn-cli. I could not attach this as an inline diff comment becausewebsite/docs/10_going-deeper/infrastructure-providers.mdxis not changed in the PR, but it should be updated before release or tracked as an explicit follow-up.
I rechecked the cdktn import paths and CLI invocation shape: the imports used by the Azure infrastructure package exist in the published cdktn packages, npx cdktn-cli resolves to the package's cdktn binary in a temp install, and cdktn still intentionally uses cdktf.json / cdktf.out naming internally.
|
/integration sha=8cce6b3 |
|
⌛ Integration tests are running... Check their status here 👈 |
|
❌ Oh no! Integration tests have failed |
|
⌛ Integration tests are running... Check their status here 👈 |
|
✅ Integration tests have finished successfully! |
alvaroloes
left a comment
alvaroloes
left a comment
There was a problem hiding this comment.
Re-reviewed latest head 8cce6b3.
The package-manifest security fixes from the previous review look good now: the direct ws specs are bumped to ^8.20.1, yaml is bumped to ^1.10.3, the lockfile resolves them to safe versions, and the Azure synth docs were updated away from cdktf.
I still cannot approve because the deployment error handler in packages/framework-provider-azure-infrastructure/src/infrastructure/index.ts:47 is unchanged. runCommand rejects with stderr as a string, so error.message will be undefined at runtime, and the template string still has the extra trailing }. This is already covered by the existing unresolved Copilot thread, so I am not duplicating the inline comment, but it remains an actionable blocker.
…to chore/migrate-cdktf-to-cdktn
alvaroloes
left a comment
alvaroloes
left a comment
There was a problem hiding this comment.
Re-reviewed latest head 95b9688. The previously blocking deploy error handling is fixed, the package-manifest dependency fixes and docs updates remain in place, and I don’t see any remaining merge-blocking issues.
All visible checks are passing (changes-check, lint, unit-tests, CodeQL, CodeSee). The remaining unresolved Copilot note is a log-message clarity suggestion around cdktf.json naming; I don’t consider it a blocker because cdktn intentionally retains cdktf.json / cdktf.out artifact names.
Description
As of December 10, 2025, CDK for Terraform (
cdktf) has been deprecated and is no longer maintained, leaving unpatched downstream vulnerabilities in the chain. CDK Terrain (cdktn) is an actively maintained community fork (forked from cdktf 0.21.0, our exact version) with full API compatibility. This PR migrates Booster's infrastructure packages fromcdktftocdktnand refreshes related security-sensitive dependencies.Changes
cdktf/@cdktf/*dependencies withcdktn/@cdktn/*inframework-provider-azure-infrastructureandframework-integration-tests.cdktfimports in the Azure infrastructure code tocdktn(~27 source files).cdktnto the latest available versions (cdktn0.23.3,@cdktn/provider-azurerm16.4.0,@cdktn/provider-null13.1.0,@cdktn/provider-time13.1.0).@effect/platform-node< 0.76 ceiling (effect3.13.2 → 3.21.3, plus@effect/platform,@effect/platform-node,@effect/cli,@effect/printer*,@effect/typeclassto their latest in-range patches).uuid11.0.5 → 11.1.1 inframework-typesandframework-provider-azure-infrastructure.common/config/rush/.pnpmfile.cjs(shell-quote,tar,serialize-javascript,flatted,minimatch,brace-expansion,ws,nanoid,js-yaml,yaml,follow-redirects,undici) to address remaining HIGH/CRITICAL transitives.Checks