Tech Blog

Deploying to the Wrong Region with AWS CDK + PowerShell + SSO, and How We Cleaned It Up

by Tech Writer
AWS CDK CloudFormation PowerShell

Introduction

“The deployment succeeded!” — or so we thought. The CloudFormation stack was actually created in us-east-1 (N. Virginia) instead of ap-northeast-1 (Tokyo).

This is a record of a failure with AWS CDK + Windows PowerShell + AWS SSO, and the subsequent cleanup.

Setup

  • OS: Windows 11
  • Shell: PowerShell 5.1
  • AWS auth: AWS SSO (IAM Identity Center)
  • CDK version: 2.x
  • Target region: ap-northeast-1 (Tokyo)

What Happened

# CDK deploy command
cdk deploy --profile myproject-dev

When we checked afterward, the CloudFormation stack was in us-east-1, not Tokyo.

Root Cause Analysis

Cause 1: CDK env configuration was missing

// cdk/lib/app-stack.ts
const app = new cdk.App();
new AppStack(app, 'DvdRentalStack', {
  // env was not specified
});

When env is not specified, CDK resolves the region from environment variables or default settings at deploy time.

// Correct approach
new AppStack(app, 'DvdRentalStack', {
  env: {
    account: process.env.CDK_DEFAULT_ACCOUNT,
    region: 'ap-northeast-1',  // explicitly specified
  }
});

Cause 2: Stale AWS environment variable in PowerShell

A us-east-1 environment variable from previous work was still set.

# Leftover environment variable
$env:AWS_DEFAULT_REGION  # = "us-east-1"

CDK prioritizes environment variables over profile settings, so even with Tokyo configured in the profile, it deployed to us-east-1.

Cause 3: Skipped cdk synth verification

# Should have run this before deploying
cdk synth --profile myproject-dev

Checking whether ap-northeast-1 appeared in the cdk synth output would have caught the issue before deployment.

Cleanup

We had to delete the stack in the wrong region and re-create it in the correct region.

Step 1: Verify stack in wrong region

# Check stacks in us-east-1
aws cloudformation describe-stacks `
    --region us-east-1 `
    --profile myproject-dev `
    --query "Stacks[?StackName=='DvdRentalStack'].{Name:StackName,Status:StackStatus}"

Step 2: Delete stack in wrong region

aws cloudformation delete-stack `
    --stack-name DvdRentalStack `
    --region us-east-1 `
    --profile myproject-dev

Wait for deletion to complete:

aws cloudformation wait stack-delete-complete `
    --stack-name DvdRentalStack `
    --region us-east-1 `
    --profile myproject-dev

Step 3: Deploy to correct region

Clear environment variables and explicitly set Tokyo region:

# Clear incorrect environment variables
Remove-Item Env:AWS_DEFAULT_REGION -ErrorAction SilentlyContinue
Remove-Item Env:AWS_REGION -ErrorAction SilentlyContinue

# Verify region in synth output before deploying
cdk synth --profile myproject-dev | Select-String "ap-northeast-1"

# Deploy after confirmation
cdk deploy --profile myproject-dev

Prevention Measures

Measure 1: Always explicitly specify CDK env

new AppStack(app, 'DvdRentalStack', {
  env: {
    account: process.env.CDK_DEFAULT_ACCOUNT,
    region: 'ap-northeast-1',  // hardcoded to Tokyo
  }
});

Measure 2: Always run cdk synth before deploying

# Always follow this flow
cdk synth --profile myproject-dev   # ← verify region
cdk diff --profile myproject-dev    # ← verify changes
cdk deploy --profile myproject-dev  # ← deploy

Measure 3: Explicitly export PowerShell SSO credentials

Setting temporary credentials from AWS SSO as PowerShell variables eliminates ambiguity in profile resolution.

# SSO login
aws sso login --profile myproject-dev

# Get and export temporary credentials
$creds = aws sts get-session-token --profile myproject-dev | ConvertFrom-Json
$env:AWS_ACCESS_KEY_ID = $creds.Credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $creds.Credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $creds.Credentials.SessionToken
$env:AWS_DEFAULT_REGION = "ap-northeast-1"

# Now cdk commands use env vars instead of profile
cdk deploy

Summary

Lessons learned from this failure:

  1. Hardcode CDK env explicitly — don’t rely on environment variables or defaults
  2. Verify region with cdk synth before deploying — checking the manifest region is the last line of defense
  3. Check if PowerShell’s $env:AWS_DEFAULT_REGION has stale values — watch for leftovers from previous work
  4. If you deploy to the wrong region, complete the cleanup immediately — leaving it until the next day makes things more complex

The Windows + AWS SSO + CDK combination has many pitfalls, but making cdk synth manifest checking a habit prevents most wrong-region deployments.

Building a DVD Rental End-User App Alongside the Admin Dashboard — Vue 3 + Spring Boot Architecture Overview
Building a DVD Rental Admin App with Spring Boot + Thymeleaf on the dvdrental Sample Database

Feel free to send a message

Please send a message if you have any technical questions, feedback, or inquiries.