By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Control Tower failed to set up your landing zone completely

0

Hello everyone. Hope you're doing fantastic!

My Control Tower got stuck in this stage.

Trying to fix this, I deleted the Organization, every role, policy, related to control tower on the shared, and member accounts. No success.

I was able to manually recreate a new Organization, and every single Cloudformation Stack Control Tower generates on all the accounts.

I could even modify the AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER and the AWSControlTowerBP-BASELINE-CONFIG-MASTER stacks on the manager account.

Still, every time I go to the Landing Zone page, it shows the message as seen on the screenshot.

Is there any way I could bring back the Landing Zone page?

I do not mind if I need to recreate everything from scratch again. All I want is to be able to delete this message.

Looking forward to your reply,

Thanks in advance.

control-tower-error

cloudformation

Topics
Management & Governance
Tags
AWS CloudFormationAWS Control TowerAWS OrganizationsAWS Account Management
Language
English
Yoimer David Roman Figueroa
asked 9 months ago303 views
1 Answer
0

Hi, have you tried decommissioning your landing zone? https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html

Here is the link how to decommission your landing zone: https://docs.aws.amazon.com/controltower/latest/userguide/how-to-decommission.html

Manually deleting all of your AWS Control Tower resources is not the same as decommissioning. It will not allow you to set up a new landing zone.

Once the decommissioning is successful, follow the documentation here before setting up CT again after decommissioning a landing zone: https://docs.aws.amazon.com/controltower/latest/userguide/known-issues-decommissioning.html

Please do let me know if this worked for you.

AWS
rePost-User-5454640
answered 8 months ago
  • Yoimer David Roman Figueroa
    8 months ago

    Hi thanks for replying.

    None of these worked, and I will explain why and how I fixed it.

    As seen on the snapshots and as I mentioned, the Control Tower page was stuck. No way I could do any decommissioning at all.

    The reason was the AWSControlTowerAdmin service-role was deleted. Control Tower needs it imperatively to move on with its process (Service Catalog, Cloudformation on every account for roles, permissions, Lambda creation, Config etc).

    On IAM I was not able to create the AWSControlTowerAdmin service-role, (I was not able to change the root path from / to /service-role/).

    I just implemented and CloudFormation template specifying the /service-role/ path for the AWSControlTowerAdmin role and attached its permission policy.

    Once I did that Control Tower started making some progress. At the end of the day, I had to go on every single account (Audit, Log Archive, and the Workload in general) delete the Cloudformation stack Control Tower generated the first time.

    On the Manager account, I deleted every single Cloudformation stack and stackset too vi a CLI.

    Because of the AWSControlTowerAdmin role added, Control Tower was able to generate the Organizational Units, and make the enrollments as expected.

    Took a while to understand the whole process, but it was worthy learning.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content