We Keep Coding

How to properly delete with AWS CDK

I did some clean up in my S3 buckets and deleted S3 bucket with weird names. Now my CDK stacks are in weird states.
I have some CDK stacks running.
$cdk ls shows
LambdaHoroscrape
I destroy the stack with those commands
cdk destroy
cdk destroy LambdaHoroscrape
Are you sure you want to delete: LambdaHoroscrape (y/n)? y
LambdaHoroscrape: destroying...
LambdaHoroscrape: destroyed
However the stack LambdaHoroscrape is still present, cdk ls confirms it.
How can I properly delete this CDK stack ?
Context: I wanted to delete the stack because my deployment ( cdk deploy ) showed this cryptic message
[%] fail: No bucket named 'cdktoolkit-stagingbucket-zd83596pa2cm'. Is account xxxxx bootstrapped?
I boostrapped my account with
cdk bootstrap aws://{account_number}/{region}
Others encountered this cryptic error as well
https://github.com/aws/aws-cdk/issues/6808
In the end, because of this error and eagerness to destroy the stack, I lost my DynamoDB data collected since 2 weeks.

The message is caused by the fact that you deleted the CDK asset bucket created during bootstrapping. You'll need to re-bootstrap your environment to deploy there.
As for deleting, CDK deploys cloudformation stacks, so a sure way to delete something is to go to the cloudformation console and delete the stack.

How to deploy AWS CDK stacks to multiple accounts?

AWS CDK stacks target an account or region based on an evironment, details here. Here is an example of an app that deploys one stack into multiple target accounts:
const envEU = { account: '2383838383', region: 'eu-west-1' };
const envUSA = { account: '8373873873', region: 'us-west-2' };
new MyFirstStack(app, 'first-stack-eu', { env: envEU });
new MyFirstStack(app, 'first-stack-us', { env: envUSA });
My question is how to deploy these 2 stacks - is it possible to deploy them as a single operation? If so, what credentials are used and what roles are required on the 2 accounts?
Ideally, I'd like to be able to do a single command to deploy all stacks across all accounts:
cdk deploy ...
Or is the deployment only possible via 2 steps?
cdk deploy first-stack-eu --profile=profile_for_account_2383838383
cdk deploy first-stack-us --profile=profile_for_account_8373873873

I ended up using the cdk-assume-role-credential-plugin to perform the task. The description of that plugin states:
This plugin allows the CDK CLI to automatically obtain AWS credentials
from a stack's target AWS account. This means that you can run a
single command (i.e. cdk synth) with a set of AWS credentials, and the
CLI will determine the target AWS account for each stack and
automatically obtain temporary credentials for the target AWS account
by assuming a role in the account.
I wrote up a detailed tutorial on how to use this plugin to perform AWS cross-account deployments using CDK here: https://johntipper.org/aws-cdk-cross-account-deployments-with-cdk-pipelines-and-cdk-assume-role-credential-plugin/

In cloudformation you can use Stack Sets for multi-account and multi-region deployments.
However, this is not yet supported in CDK according to the GitHub issue:
Support for CloudFormation StackSets #66

As of v2 of CDK this is available by default:
Now by default when you bootstrap an AWS account it will create a set of IAM roles for you, which the CDK will assume when performing actions in that account.

If you have multiple stacks in your app you have to pass every stack into the cdk deploy command e.g. cdk deploy WmStackRouteCertStack004BE231 WmStackUploadStackF8C20A98
I don't know of a way to deploy all stacks in an app, I don't like this behavior and it's the reason I try to avoid creating multiple stacks

cdk diff does not diff from console changes

I have a stack which creates IAM policies
Its deployed successfully
I then change a policy by removing few statements
Then invoke cdk diff, which does not detect the drift
Is this expected?

Indeed, cdk diff will only compare the specified stack with the local template file (created by the previous cdk deploy).
Thus, if you made some changes in the AWS Console, the AWS CDK will not detect the drift.
Since version 1.17.0, you can now do the following to detect and show drifted changes:
cdk deploy --no-execute
From the PR description:
You will be able to see the ChangeSet in AWS CloudFormation Console, validate the resources and discard or execute the ChangeSet.

lambda:GetAlias warning in CloudFormation stack update triggered by CodeStar

I am exploring CodeStar using a basic project created with the Python 3.7 Lambda template following the Serverless Project Tutorial in the AWS CodeStar documentation:
https://docs.aws.amazon.com/codestar/latest/userguide/sam-tutorial.html
My build and deploy are successful. However a see a warning in my CloudFormation event log:
The IAM user doesn't allow CloudFormation to call lambda:GetAlias, this could result in formulating a appspec file with stale CurrentVersion for CodeDeploy deployment. Please fix it to avoid any possible CodeDeploy deployment failures.
I am just using the AWS resources created automatically by the CodeStar console.
What do I do to fix this warning?
Details
The CodeDeploy step in the CodePipeline deploys the lambda function by updating a CloudFormation stack named: awscodestar-<codestar project name>-lambda.
When I looked in the event log for this stack, I noticed the above warning for the resource named HelloWorldAliaslive

To fix this, add the lambda:GetAlias permission to the inline policy associated with the IAM role named CodeStarWorker-<project>-CloudFormation
Open the AWS Console for CodeStar
Click Project in the left navbar
Find the Project Resources section. One of the AWS IAM resources will have a name CodeStarWorker-<project>-CloudFormation. Click the link in the ARN column of the table to open the role in IAM.
Locate the inline policy named CodeStarWorkerCloudFormationRolePolicy and click the Edit button.
Add the "lambda:GetAlias" action to this policy.
This policy is created automatically by CodeStar. In my account, the policy included several Statements. I chose to add the "lambda:GetAlias" action to the statement which already had "lambda:CreateAlias" action.
After making this change, the warning no longer appeared in my CloudFormation event logs.

AWS CodePipeline deploy failed

I am trying to set up a Continuous Integration pipeline for my simple AWS lambda function. To confess, the is my very first time using AWS code pipeline. I am having trouble with setting up the pipeline. The deploy stage in the pipeline is failing.
I created a CodeBuild
Then I created an application in CodeDeploy
Then I created a CodePipeline choosing the source as GitHub. The selected a repository and branch from the GitHub. Then linked the pipeline with the CodeDeploy application and CodeBuild I previously created.
After I save the pipeline and when the pipeline is built, I am getting this error.
When I check the error details, it says this
Unable to access the artifact with Amazon S3 object key 'the-goodyard-pipelin/BuildArtif/G12YurC' located in the Amazon S3 artifact bucket 'codepipeline-us-east-1-820116794245'. The provided role does not have sufficient permissions.
Basically, that Bucket does not exist as well. Isn't the Bucket created automatically? What went wrong with my set up?
The Bucket exist as well. It is just throwing error.
In the bucket, I can see the zip file as well.

Well, the error message looks self explanatory, the role you assigned to codebuild doesn't have enough access to go to s3.
Go to codebuild -> Build projects - > Choose your project -> Click on tab 'Build Details'.
You will see a 'Service Role' ARN, that if you click on it, it will send you to that IAM role (if you are not an admin for that account, you may not have enough permissions to see IAM, as it is a critical permission service, so check this with the admin.)
Check the policies for that role, and check if the policies have the action: s3:GetObject on resource: your bucket.
If it doesn't, then you need to add it. Use the visual editor, use S3 as service, add Get* as action, and your s3 bucket to it.