Manage bucket via CLI scripts, not CloudFormation

- setup-bucket.sh creates bucket via CLI, registers name in a CFN stack
- cleanup-bucket.sh empties and deletes bucket, then deletes the stack
- prereq-bucket.yaml is now a thin parameter-based template (no S3 resource)
- test-cfn.py reverted to clean prereq detection (no inline fallback)
- All 10 templates now pass deploy+delete including 003-s3

Author: mwunderl

cfn/cleanup-bucket.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# Empty and delete the shared tutorial S3 bucket, then delete the CloudFormation stack.
+# Usage: ./cfn/cleanup-bucket.sh
+set -eo pipefail
+
+STACK_NAME="tutorial-prereqs-bucket"
+
+BUCKET_NAME=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" \
+    --query 'Stacks[0].Outputs[?OutputKey==`BucketName`].OutputValue' --output text 2>/dev/null)
+
+if [ -z "$BUCKET_NAME" ] || [ "$BUCKET_NAME" = "None" ]; then
+    echo "No bucket stack found."
+    exit 0
+fi
+
+echo "Bucket: $BUCKET_NAME"
+
+# Empty the bucket (including versions)
+OBJ_COUNT=$(aws s3api list-objects-v2 --bucket "$BUCKET_NAME" --query 'KeyCount' --output text 2>/dev/null || echo "0")
+if [ "$OBJ_COUNT" -gt 0 ] 2>/dev/null; then
+    echo "Emptying $OBJ_COUNT objects..."
+    aws s3 rm "s3://$BUCKET_NAME" --recursive --quiet
+fi
+
+# Delete versions and delete markers
+aws s3api list-object-versions --bucket "$BUCKET_NAME" \
+    --query '{Objects: Versions[].{Key:Key,VersionId:VersionId}, Quiet: true}' \
+    --output json 2>/dev/null | \
+    aws s3api delete-objects --bucket "$BUCKET_NAME" --delete file:///dev/stdin > /dev/null 2>&1 || true
+
+aws s3api list-object-versions --bucket "$BUCKET_NAME" \
+    --query '{Objects: DeleteMarkers[].{Key:Key,VersionId:VersionId}, Quiet: true}' \
+    --output json 2>/dev/null | \
+    aws s3api delete-objects --bucket "$BUCKET_NAME" --delete file:///dev/stdin > /dev/null 2>&1 || true
+
+echo "Deleting bucket: $BUCKET_NAME"
+aws s3api delete-bucket --bucket "$BUCKET_NAME"
+
+echo "Deleting stack: $STACK_NAME"
+aws cloudformation delete-stack --stack-name "$STACK_NAME"
+aws cloudformation wait stack-delete-complete --stack-name "$STACK_NAME"
+
+echo "Done."

cfn/prereq-bucket.yaml

@@ -1,30 +1,26 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: >-
-  Shared S3 bucket for tutorial artifacts. Deploy once, reference from other
-  tutorial stacks via cross-stack export. Empty the bucket before deleting.
+  Shared S3 bucket reference for tutorials. The bucket is created and deleted
+  by setup-bucket.sh and cleanup-bucket.sh. This stack just exports the name
+  so other tutorial stacks can import it.
+
+Parameters:
+  BucketName:
+    Type: String
+    Description: Name of the bucket created by setup-bucket.sh
 
 Resources:
-  TutorialBucket:
-    Type: AWS::S3::Bucket
-    DeletionPolicy: Delete
-    Properties:
-      BucketEncryption:
-        ServerSideEncryptionConfiguration:
-          - ServerSideEncryptionRule:
-              ServerSideEncryptionByDefault:
-                SSEAlgorithm: AES256
-      Tags:
-        - Key: tutorial
-          Value: shared-bucket
+  Placeholder:
+    Type: AWS::CloudFormation::WaitConditionHandle
 
 Outputs:
   BucketName:
     Description: Name of the shared tutorial bucket
-    Value: !Ref TutorialBucket
+    Value: !Ref BucketName
     Export:
       Name: !Sub '${AWS::StackName}-BucketName'
   BucketArn:
     Description: ARN of the shared tutorial bucket
-    Value: !GetAtt TutorialBucket.Arn
+    Value: !Sub 'arn:aws:s3:::${BucketName}'
     Export:
       Name: !Sub '${AWS::StackName}-BucketArn'

cfn/setup-bucket.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# Create the shared tutorial S3 bucket and register it with CloudFormation.
+# Usage: ./cfn/setup-bucket.sh
+set -eo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+STACK_NAME="tutorial-prereqs-bucket"
+ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
+REGION=$(aws configure get region 2>/dev/null || echo "us-east-1")
+BUCKET_NAME="tutorial-bucket-${ACCOUNT_ID}-${REGION}"
+
+# Check if stack already exists
+STATUS=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" \
+    --query 'Stacks[0].StackStatus' --output text 2>/dev/null || echo "NONE")
+
+if [ "$STATUS" = "CREATE_COMPLETE" ] || [ "$STATUS" = "UPDATE_COMPLETE" ]; then
+    EXISTING=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" \
+        --query 'Stacks[0].Outputs[?OutputKey==`BucketName`].OutputValue' --output text)
+    echo "Bucket already exists: $EXISTING"
+    exit 0
+fi
+
+echo "Creating bucket: $BUCKET_NAME"
+if [ "$REGION" = "us-east-1" ]; then
+    aws s3api create-bucket --bucket "$BUCKET_NAME"
+else
+    aws s3api create-bucket --bucket "$BUCKET_NAME" \
+        --create-bucket-configuration LocationConstraint="$REGION"
+fi
+
+aws s3api put-bucket-encryption --bucket "$BUCKET_NAME" \
+    --server-side-encryption-configuration \
+    '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
+
+aws s3api put-public-access-block --bucket "$BUCKET_NAME" \
+    --public-access-block-configuration \
+    'BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true'
+
+echo "Registering bucket with CloudFormation stack: $STACK_NAME"
+aws cloudformation deploy \
+    --template-file "$SCRIPT_DIR/prereq-bucket.yaml" \
+    --stack-name "$STACK_NAME" \
+    --parameter-overrides "BucketName=$BUCKET_NAME"
+
+echo "Done. Bucket: $BUCKET_NAME"
+echo "Other stacks can import: !ImportValue ${STACK_NAME}-BucketName"

test-cfn.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python
 """Test all CloudFormation templates: validate, deploy, verify, delete.
 
 Usage: python3 test-cfn.py [--parallel N] [--skip-deploy] [--region REGION]
@@ -138,7 +138,8 @@ def ensure_prereqs(cfn, repo_root, needed_stacks):
             waiter.wait(StackName=stack_name, WaiterConfig={"Delay": 15, "MaxAttempts": 40})
             print(f"  Prereq {stack_name}: ready")
         except Exception as e:
-            print(f"  Prereq {stack_name}: FAILED ({e})")
+            print(f"  Prereq {stack_name}: CFN deploy failed ({e})")
+            print(f"  Prereq {stack_name}: Run ./cfn/setup-bucket.sh first, then retry.")
             failed.add(stack_name)
             try:
                 cfn.delete_stack(StackName=stack_name)