This is a guest post written by Ramanathan Nachiappan from GoDaddy. In the world of infrastructure as code, the AWS Cloud Development Kit (AWS CDK) has revolutionized how teams define and provision cloud resources. Central to its operation is the bootstrapping process, which ensures all required resources and permissions are in place to enable secure and scalable deployments. At GoDaddy, our cloud journey has always prioritized governance, compliance, and a great developer experience. As our AWS footprint expanded across hundreds of teams and thousands of deployments, we faced a classic engineering dilemma: how do we uphold rigorous governance standards without compromising developer velocity? AWS CDK’s default bootstrapping process—while essential—often clashed with our governance model, creating friction, workarounds, and wasted cycles. This post details how we evolved beyond that friction, eliminating the explicit bootstrap step entirely and replacing it with a seamless, zero-touch experience. The result: a “bootstrapless” CDK deployment flow that enforces governance invisibly and empowers developers to deploy with a single command. The Governance Imperative: Security by Design GoDaddy’s governance model isn’t just a checkbox for compliance; it’s the foundation of our cloud security posture. Our approach requires all AWS resource modifications to flow through AWS CloudFormation, with each deployment evaluated against our rule sets covering: Security configurations: Encryption requirements, network controls, access management Compliance standards: Data protection, regulatory requirements, audit capabilities Operational practices: Resource tagging, backup strategies, monitoring configurations Cost optimization: Resource sizing, lifecycle management, utilization thresholds Our CloudFormation hooks evaluate every resource against these rules pre-deployment, helping to reduce the likelihood of non-compliant resources being created. This proactive approach is designed to support governance from day one, rather than retroactively detecting violations. The CDK Bootstrap Challenge AWS CDK V1 vs AWS CDK V2: AWS CDK v1: Used the active AWS CLI credentials for all deployments. AWS CDK v2: Introduced a new bootstrap template with five new AWS Identity and Access Management (IAM) roles, designed primarily for CDK Pipelines. These roles must be assumed or passed by the AWS CLI. It’s worth noting that AWS CDK v2 still fully supports the legacy synthesizer, allowing users to maintain their existing v1-style workflows. When AWS CDK v2 arrived, its bootstrap process introduced crucial changes designed to standardize authentication across multiple deployment tools and scenarios (CLI, cross-account deployments, pipelines, etc.). The standard cdk bootstrap command creates several essential components: # Creates the default bootstrap stack with resources cdk bootstrap This command provisions: An Amazon Simple Storage Service (Amazon S3) bucket for deployment assets (AWS Lambda code, CloudFormation templates) Amazon Elastic Container Registry (Amazon ECR) repositories for container images A collection of five IAM roles enabling AWS CDK’s deployment capabilities Here’s where things got interesting for GoDaddy. While the default AWS CDK setup includes security measures (like encrypted Amazon S3 buckets), our enterprise governance requirements had additional specifications that created some difficulty with the default bootstrap resources: Amazon S3 buckets needed additional encryption, logging, and compliance settings beyond the defaults IAM roles required alignment with our specific permission boundaries and organizational policies Amazon ECR repositories needed mandatory GoDaddy tags and access configurations Additional compliance requirements around resource naming, backup policies, and monitoring These GoDaddy-specific governance requirements meant the default bootstrap resources do not pass our validation checks, creating deployment slowdown for developers and increasing support overhead for GoDaddy’s governance platform as teams worked around the governance failures. Phase 1: Custom Bootstrap Templates Our first step toward enhancing the developer experience was creating a customized bootstrap approach using two key components: 1. The GDStack and Conformers We developed a specialized CDK construct called GDStack extending the native CDK Stack. This custom stack framework used CDK Aspects to automatically ensure governance compliance: Automatic Resource Conformers: We built a system of “conformers” that apply company-wide governance standards to every resource automatically. For example, our S3Conformer ensures all buckets have required encryption, logging, and access settings. CDK Aspects Under the Hood: These conformers use AWS CDK’s powerful Aspects system—a visitor pattern that traverses all constructs in a stack and applies transformations. This allowed us to inspect and modify any non-compliant resources during synthesis without requiring developers to learn complicated rules. Seamless Governance: When developers added resources to a GDStack, these aspects would automatically transform the resources to align with our governance rules before deployment—all invisible to the developer. This approach dramatically reduced turnaround time for developers, who previously had to manually correct violations in their application specific CloudFormation stacks after failed deployments. Instead, the system intelligently fixed issues before they became deployment failures. 2. CliCredentialsStackSynthesizer Instead of using AWS CDK’s default deployment roles, we used the CliCredentialsStackSynthesizer to: Use the developer’s CLI credentials directly for deployments Eliminate the need for complex cross-account role assumptions Respect our existing IAM permission boundaries Simplify the authentication flow Our solution required a custom bootstrap command: # Custom bootstrap with governance-compliant template npx cdk bootstrap --template node_modules/internal-constructs/bootstrap-template.yaml --tags governance=safeguard This approach worked well, but still required teams to run a bootstrap step with precise GoDaddy-specific parameters. Although our platform documentation was extensive, some users still encountered issues as they continued to use the native cdk bootstrap command instead of the custom command. This behavior likely stemmed from the habit of running cdk bootstrap first, as trained by the native AWS CDK workflow. As a result, this approach still maintained some support troubleshooting workload for teams. We needed a more elegant solution for our needs! Phase 2: The Revolutionary Bootstrapless Approach As AWS CDK evolved, so did our thinking. The introduction of the AppStagingSynthesizer opened new possibilities, leading us to develop a completely bootstrapless solution. The Factory Pattern Solution We engineered an elegant chain of specialized components: Bootstrapless CDK Factory Pattern Design Each component plays a crucial role: 1. GDStack: The Developer Interface This is the only component developers interact with directly: // Developer simply extends GDStack instead of Stackexport class MyApplicationStack extends GDStack { constructor(scope: Construct, id: string, props: GDStackProps) { super(scope, id, props); // Normal CDK resource definitions new s3.Bucket(this, 'MyBucket', { ... }); }} 2. GDStackSynthesizerFactory: The Orchestrator This factory connects our custom components with CDK’s synthesis system: export const GDStackSynthesizerFactory = () => { return AppStagingSynthesizer.customFactory({ factory: new GDStagingStackFactory(), deploymentIdentities: DeploymentIdentities.cliCredentials(), });}; 3. GDStagingStackFactory: The Resource Producer Factory This implements the IStagingResourcesFactory interface to dynamically create staging resources: export class GDStagingStackFactory implements IStagingResourcesFactory { public obtainStagingResources( stack: cdk.Stack, context: ObtainStagingResourcesContext, ): IStagingResources { const app = cdk.App.of(stack)!; const appId = getAppIdFromContext(app.node); const stagingStack = new GDStagingStack( app!, `StagingStack-${appId}-${context.environmentString}`, { env: { region: stack.region, account: stack.account }, appId: appId, }, ); return stagingStack; }} 4. GDStagingStack: The Resource Producer for App-Level bootstrapping This stack implements IStagingResources and creates rule-compliant assets on demand: export class GDStagingStack extends cdk.Stack implements IStagingResources { constructor(scope: Construct, id: string, props: GDStagingStackProps) { super(scope, id, { ...props, // The magic ingredient - BootstraplessCliSynthesizer synthesizer: new BootstraplessCliSynthesizer(), description: `This stack includes resources needed to deploy the AWS CDK app ${props.appId} into this environment`, }); // Apply governance conformers to everything this.applyGovernanceConformers(); // Create compliant resources const bucket = new s3.Bucket(this, "CdkStagingBucket", { bucketName: `cdk-${this.appId}-staging-${this.account}-${this.region}`, // Conformers ensure encryption, logging, and other requirements }); // Additional resource creation... }} The Secret Sauce: BootstraplessCliSynthesizer The cornerstone of our solution is a custom synthesizer BootstraplessCliSynthesizer that combines the best aspects of AWS CDK’s built-in synthesizers BootstraplessSynthesizer and CliCredentialsStackSynthesizer. It brings together key features from both AWS CDK synthesizers while adding our own innovations: From CliCredentialsStackSynthesizer: Uses the CLI credentials directly for all operations From BootstraplessSynthesizer: Eliminates the need for bootstrap resources Our custom approach: Purpose-built specifically for the GDStagingStack with explicit asset rejection where GDStagingStack itself essentially creates the required asset resources on demand for the CDK Application. This synthesizer: Requires no bootstrapping in any region Uses AWS CLI credentials directly for all operations Maintains a minimal implementation focused solely on template generation export class BootstraplessCliSynthesizer extends cdk.StackSynthesizer { constructor() { super(); } // Prevent asset uploads to enforce governance compliance public addFileAsset(_asset: cdk.FileAssetSource): cdk.FileAssetLocation { throw new Error( "Cannot add assets to a Stack that uses the BootstraplessCliSynthesizer", ); } public addDockerImageAsset( _asset: cdk.DockerImageAssetSource, ): cdk.DockerImageAssetLocation { throw new Error( "Cannot add assets to a Stack that uses the BootstraplessCliSynthesizer", ); } // Minimal synthesis - just template generation and artifact emission public synthesize(session: cdk.ISynthesisSession): void { // Same as LegacySynthesizer this.synthesizeTemplate(session); this.emitArtifact(session); }} Our innovation was creating a synthesizer used only for the GDStagingStack that works in concert with our factory pattern. Rather than assuming pre-existing bootstrap resources, it enables the staging stack itself to create the required asset resources on demand, achieving enhanced bootstrapless deployments while maintaining governance compliance. The Elegant Workflow: Dynamic Asset Management Our solution transformed the developer experience through intelligent, on-demand resource provisioning: Our Previous Custom Approach: # Pre-provision compliant bootstrap resources npx cdk bootstrap --template node_modules/internal-constructs/bootstrap-template.yaml --tags governance=safeguard # Deploy applications npx cdk deploy Our New Enhanced Bootstrapless Approach: # Deploy directly - compliant staging resources created automatically when needed npx cdk deploy The key advantage is our intelligent asset management: On-Demand Resource Creation: Staging resources (Amazon S3 buckets, Amazon ECR repositories) are created automatically when needed, rather than requiring pre-provisioning Governance Integration: All staging resources are created with full compliance built-in from the start Simplified Credential Flow: Uses existing CLI credentials without complex role assumption chains Multi-Account Scalability: Works seamlessly across any number of AWS accounts and regions Behind the scenes, our architecture: Creates governance-compliant staging resources dynamically as applications require them Uses the developer’s existing CLI credentials for all operations Applies security and compliance requirements transparently Eliminates the need to manage bootstrap stacks across environments Evolution of Approaches Approach Bootstrap Required Security Model Asset Management GoDaddy Governance Developer Workflow AWS CDK v2 Default Yes (one-time) 5 deployment roles Pre-provisioned bootstrap stack Failed validation checks Standard setup + deploy Custom Template + CliCredentialsStackSynthesizer Yes (one-time) CLI credentials Compliant bootstrap stack via custom template Passes all checks Setup + deploy GDStagingStack + BootstraplessCliSynthesizer No CLI credentials Compliant staging resources created dynamically on-demand Passes all checks Deploy only Business Impact: GoDaddy’s Transformation The business value of our bootstrapless approach has been significant for GoDaddy’s infrastructure teams: Streamlined developer focus: Our teams now focus entirely on writing infrastructure implementation logic, with AWS CDK bootstrapping fully abstracted and automated. Developers no longer need to work with bootstrap configurations, even though it was a one-time setup per environment previously. Automated compliance: Deployments automatically meet GoDaddy’s governance requirements without developer intervention, addressing the validation failures we experienced with default bootstrap resources. Simplified support model: Our platform support team handles fewer bootstrap-related configuration requests, allowing them to focus on broader platform improvements. Broader CDK adoption: The streamlined workflow has encouraged more teams at GoDaddy to adopt AWS CDK from native CloudFormation YAML code for their infrastructure management. This bootstrapless approach has worked well for GoDaddy’s specific governance requirements and development workflow preferences, demonstrating one way to integrate enterprise compliance seamlessly into AWS CDK deployments. Conclusion: The Invisible Framework The evolution from bootstrap – dependent to bootstrapless CDK deployments represents more than a technical improvement—it demonstrates a pathway to eliminate friction while strengthening organization specific governance. Our implementation at GoDaddy validates that enterprise compliance and developer productivity can be achieved simultaneously. Organizations seeking to implement similar solutions should begin by evaluating the AppStagingSynthesizer capabilities within their current AWS CDK deployment patterns. This assessment will reveal opportunities to reduce bootstrap dependencies while maintaining security and compliance standards. For comparison, teams can also examine the BootstraplessSynthesizer to understand alternative approaches to eliminating traditional bootstrap resources. The implementation approach we’ve outlined leverages established AWS CDK patterns, including the CliCredentialsStackSynthesizer for credential management and dynamic resource provisioning interfaces. These core AWS CDK interfaces — IStagingResourcesFactory and IStagingResources — form the foundation for creating governance-compliant, bootstrapless deployment workflows that scale across enterprise environments. The future of infrastructure as code lies in systems that enforce governance invisibly while empowering developers to focus on business logic. As AWS CDK continues to evolve, the patterns we’ve demonstrated at GoDaddy provide a foundation for organizations to build their own invisible frameworks—where compliance becomes a catalyst for velocity rather than an obstacle to innovation. The content and opinions in this blog are those of the third-party author and AWS is not responsible for the content or accuracy of this blog. Ramanathan Nachiappan is a Senior Software Engineer at GoDaddy, specializing in cloud infrastructure automation, governance frameworks, and AI-driven solutions. He designs and implements tools, platforms, and policies to enhance developer productivity while ensuring compliance with security standards. His current focus includes developing agentic workflows and AI-powered automation systems that streamline enterprise infrastructure operations.