3 Answers
- Newest
- Most votes
- Most comments
1
It would be better to remove them immediately during the account decommissioning process. CfCT may throw errors if an account is listed in stack instances and it can't access the account (suspended or had the AWSControlTowerExecution role removed)
answered a year ago
0
So it sounds like the best order of operations is to remove all stack sets from CT/CfCT prior to account closure. Or all together:
-Remove Service Catalog Product
-Move to suspended OU
-Delete any remaining Stack Instances
-Close account.
answered a year ago
0
And removing them is just a manual process (or could be scripted)?
answered a year ago
It could be manual, though it's just removing the stack instances from the StackSets, so could be scripted via CLI calls or other tooling.
Relevant content
- Accepted Answerasked 5 months ago
- asked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 3 months ago
A few other steps that I think would be relevant with some added detail and a little re-ordering. For the most part I think you’ve got the idea though:
-Move account to “Transitional” OU - or some OU that is outside of manifest OUs but within Control Tower governance. Do this by doing an update to the provisioned product in Service Catalog.
-Rerun the CfCT pipeline, this action will delete StackSet instances deployed by CfCT from the account.
-Terminate the provisioned Service Catalog product associated with the account to unmanage account from Control Tower. This action will also delete StackSet instances deployed by Control Tower from the account and also removes the Control Tower admin role.
-Ensure all resources are shut down/deleted on the account (EC2, RDS, etc…).
-Move to “Suspended” OU which is outside of both Control Tower control and CfCT manifest and has a deny * SCP attached
--Leave in Suspended OU. Verify CfCT and StackSets are working properly.
--Delete the account following this process: https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/
--The account will be in suspend mode for 90 days before deletion.
Thank you for the very thorough response to this!