3 Antworten
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
1
It would be better to remove them immediately during the account decommissioning process. CfCT may throw errors if an account is listed in stack instances and it can't access the account (suspended or had the AWSControlTowerExecution role removed)
beantwortet vor einem Jahr
0
So it sounds like the best order of operations is to remove all stack sets from CT/CfCT prior to account closure. Or all together:
-Remove Service Catalog Product
-Move to suspended OU
-Delete any remaining Stack Instances
-Close account.
beantwortet vor einem Jahr
0
And removing them is just a manual process (or could be scripted)?
beantwortet vor einem Jahr
It could be manual, though it's just removing the stack instances from the StackSets, so could be scripted via CLI calls or other tooling.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
A few other steps that I think would be relevant with some added detail and a little re-ordering. For the most part I think you’ve got the idea though:
-Move account to “Transitional” OU - or some OU that is outside of manifest OUs but within Control Tower governance. Do this by doing an update to the provisioned product in Service Catalog.
-Rerun the CfCT pipeline, this action will delete StackSet instances deployed by CfCT from the account.
-Terminate the provisioned Service Catalog product associated with the account to unmanage account from Control Tower. This action will also delete StackSet instances deployed by Control Tower from the account and also removes the Control Tower admin role.
-Ensure all resources are shut down/deleted on the account (EC2, RDS, etc…).
-Move to “Suspended” OU which is outside of both Control Tower control and CfCT manifest and has a deny * SCP attached
--Leave in Suspended OU. Verify CfCT and StackSets are working properly.
--Delete the account following this process: https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/
--The account will be in suspend mode for 90 days before deletion.
Thank you for the very thorough response to this!