Never deploy AWS CDK Stacks in wrong account again

Working for different customers and of cause in different accounts for lets say development and production, it is vital not to deploy in the wrong account!

Taskfile

This tool (taskfile.dev) allows preconditions for executing tasks.

  deploy-prod:
    desc: deploy Lambda
    cmds:
      - export CDK_DEFAULT_ACCOUNT={{.account}} && npx cdk@{{.version}} deploy reporting
    preconditions:
      - sh: "[ '{{.account}}' = '{{.accountprod}}' ]"
        msg: "Account not prod, Halting"

Where

deploy-prod - the Name of the Task
desc - ription
cmds - commands
{{.account}} - a variable
preconditions - only run this task if true

Thats good, but how do I get the account number?

You get the current account number with the STS simple/secure token services from aws. In the response, you query only the Account number, so

aws sts get-caller-identity --query Account --output text

Gives you the account number of the current credentials.

For the CDK, you tell it with

new LambdaStack(app, 'lambda', {
  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
});

To use the environment for account and region.

All together in the Taskfile

# https://taskfile.dev

version: '3'

env:
  CDK_DEFAULT_REGION: eu-west-1
vars:
  region: eu-west-1
  account: 
    sh: aws sts get-caller-identity --query Account --output text
  accountdev: 
  accounttest:     
  accountprod: 555555555555    
  # CDK Version
  version: v2.0.0-rc.7

tasks:
  deploy-prod:
    desc: deploy Lambda/Reporting Stack
    cmds:
      - export CDK_DEFAULT_ACCOUNT={{.account}} && npx cdk@{{.version}} deploy reporting
    preconditions:
      - sh: "[ '{{.account}}' = '{{.accountprod}}' ]"
        msg: "Account nicht prod, Halting"