Depot Platform CDK Bootstrap
The Depot Platform CDK code base contains a Bootstrap component. This component lives under the Platform CDK component and is worth calling out separately in order to help explain how Depot environments are deployed using your Infrastructure-as-code project code.
Enabling Depot for AWS Accounts
Every AWS account that wishes to support Depot infrastructure needs the Depot bootstrapping components to be installed. This operation is done usually as a once-off operation. It puts in place a variety of aws-cdk Custom Resources which handle environment deployment lifecycles such as CREATE, UPDATE, and DELETE.
When your code (using @stage-tech/depot-cdk) executes CDK operations, this library 'talks' to the Custom Resources that the Depot Bootstrap component installs in your AWS account. The Custom Resources talk to CloudFormation which in turn manages the operations required to update your stack(s).
You can see a high-level example of this process in the Depot CDK section.
To summarise, the Bootstrap components facilitate and enable the control flow between your project CDK code and the underlying Depot Platform CDK components used to create, update, and delete your Depot environments as you require.
Bootstrap Configuration Flags
Each bootstrap entry-point (bootstrap/bootstrap-<env>.ts) passes a BootstrapProps object to the Bootstrap stack. The following optional flags control which account-level resources are provisioned.
Service-linked roles
These flags default to true. Set to false only if the service-linked role already exists in the account (CloudFormation will error if you try to create one that already exists).
| Flag | AWS service-linked role | Default |
|---|---|---|
esLinkedRole | es.amazonaws.com (OpenSearch / ElasticSearch) | true |
apigLinkedRole | ops.apigateway.amazonaws.com (API Gateway) | true |
emrLinkedRole | elasticmapreduce.amazonaws.com (EMR) | true |
ecsLinkedRole | ecs.amazonaws.com (ECS) | true |
codestarLinkedRole | codestar-notifications.amazonaws.com (CodeStar Notifications) | true |
Shared VPC (sharedVpc, sharedVpcDynamicAvailabilityZones)
sharedVpc: true provisions a depot-shared-vpc VPC (10.0.0.0/16) with public + private subnets, one NAT gateway, and S3 / DynamoDB gateway endpoints. Required for Depot environments that use VPC-based storage (e.g. Aurora, OpenSearch).
sharedVpcDynamicAvailabilityZones: true lets CDK select AZs dynamically at deploy time (requires a CloudFormation SSM bootstrap context lookup). When false (default), AZs are pinned to eu-west-1a/b/c.
Snowflake credential validation (snowflakeSecretArn)
When set, a Lambda trigger function runs at deploy time to validate ACCOUNTADMIN-level Snowflake credentials stored in Secrets Manager. Used for accounts that provision Snowflake resources via the bootstrap. Omit if the account has no Snowflake integration.
S3 Tables Iceberg (s3TablesIceberg)
Setting s3TablesIceberg: true provisions the account-level AWS singletons required for Depot environments to use S3 Tables-backed Iceberg storage. These resources are account-level singletons that cannot be deployed per-environment without conflicts:
| Resource | Why account-level |
|---|---|
LakeFormation admin settings (CfnDataLakeSettings) | Replaces the entire LF admin list — deploying per-environment would clobber each other |
LF service role (lakeformation.amazonaws.com trust) | Wildcard registration covers all buckets; duplicating it per-environment is an API error |
Wildcard LF data location (arn:aws:s3tables:…:bucket/*) | Same — account-level singleton |
Glue federated catalog (s3tablescatalog) | One catalog per account; CreateCatalog fails if called twice |
These are prerequisites for the per-environment stacks that provision S3 Tables buckets and Lake Formation grants. The bootstrap stack exports a CloudFormation output (SDP-Bootstrap-S3TablesCatalogName) so downstream stacks can enforce the prerequisite and prevent accidental removal of the flag.
Enabled for: depot-dev, salt-dev, sphinx-dev, sphinx-test. Default: false.
If a Depot environment deploy fails with Export SDP-Bootstrap-S3TablesCatalogName does not exist in the region, the bootstrap for that account was not deployed with s3TablesIceberg: true. Check the sdp-bootstrap-environment CodeBuild logs for the full error.