Support AWS Control Tower managed accounts

fdeswardt commented 3 years ago

Is your feature request related to a problem? Please describe. Yes, the aws-nuke template included in DCE blows away several Control Tower resources e.g. AWS SSO roles and SAML provider, StackSet roles and stacks, OrganizationAccountAccessRole, and attempts to "nuke" Config configurations that are prevented by SCPs attached to the OU.

Describe the solution you'd like Updated aws-nuke template to include filters for the AWS Control Tower and AWS Organizations roles and configurations.

Describe alternatives you've considered Create custom aws-nuke template and overide the default template though requires additional steps in deployments.

Additional context During the DCE presentation at re:Invent 2019 it was mentioned that "there is no reason why DCE will not work with Control Tower managed accounts" though the default aws-nuke template will most definitely not work with CT managed accounts, nor with accounts that are part of AWS Organization with all features enabled, the required state when deploying Control Tower.

eschwartz commented 3 years ago

@fdeswardt you can customize the aws-nuke template

https://dce.readthedocs.io/en/latest/howto.html#account-resets

fdeswardt commented 3 years ago

Hi @eschwartz I'm aware that I can customize awe-nuke default template though want to know if there are more templates to choose from eg. template that will preserve AWS Organization resources like AWS SSO, and another template for Control Tower resources?

If not, can I contribute this to the dce project? If so, should I modify the default aws-nuke template with more filters, or add new template yaml files for different scenarios?

eschwartz commented 3 years ago

There are not additional templates available, no.