3回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
It would be better to remove them immediately during the account decommissioning process. CfCT may throw errors if an account is listed in stack instances and it can't access the account (suspended or had the AWSControlTowerExecution role removed)
回答済み 1年前
0
So it sounds like the best order of operations is to remove all stack sets from CT/CfCT prior to account closure. Or all together:
-Remove Service Catalog Product
-Move to suspended OU
-Delete any remaining Stack Instances
-Close account.
回答済み 1年前
0
And removing them is just a manual process (or could be scripted)?
回答済み 1年前
It could be manual, though it's just removing the stack instances from the StackSets, so could be scripted via CLI calls or other tooling.
A few other steps that I think would be relevant with some added detail and a little re-ordering. For the most part I think you’ve got the idea though:
-Move account to “Transitional” OU - or some OU that is outside of manifest OUs but within Control Tower governance. Do this by doing an update to the provisioned product in Service Catalog.
-Rerun the CfCT pipeline, this action will delete StackSet instances deployed by CfCT from the account.
-Terminate the provisioned Service Catalog product associated with the account to unmanage account from Control Tower. This action will also delete StackSet instances deployed by Control Tower from the account and also removes the Control Tower admin role.
-Ensure all resources are shut down/deleted on the account (EC2, RDS, etc…).
-Move to “Suspended” OU which is outside of both Control Tower control and CfCT manifest and has a deny * SCP attached
--Leave in Suspended OU. Verify CfCT and StackSets are working properly.
--Delete the account following this process: https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/
--The account will be in suspend mode for 90 days before deletion.
Thank you for the very thorough response to this!