balltrev
commented
1 year ago Hello @oliversalzburg, you’re absolutely right that just decommissioning the account and provisioning another will cause conflicts as AFT deploys resources throughout your AWS Control Tower Landing Zone. You’ll need to verify the following resources do not exist in their respective accounts before attempting to re-deploy AFT in a new AFT management account:
Within the Control Tower Management Account:
- IAM Role: aft-control-tower-events-rule
- IAM Role: AWSAFTExecution
- IAM Role: AWSAFTService
Within the Log Archive Account:
- IAM Role: AWSAFTExecution
- IAM Role: AWSAFTService
- KMS Alias: alias/aft
- S3 Bucket: aws-aft-logs-$ACCOUNT_ID-$CT_HOME_REGION
- S3 Bucket: aws-aft-s3-access-logs-$ACCOUNT_ID-$CT_HOME_REGION
Within the Audit account:
- IAM Role: AWSAFTExecution
- IAM Role: AWSAFTService
Once you’ve confirmed the resources above are not present, you should be able to follow https://docs.aws.amazon.com/controltower/latest/userguide/aft-getting-started.html to get AFT up and running in your environment
oliversalzburg
Terraform Version & Prov: unknown
AFT Version: 1.7.0 (Can be found in the AFT Management Account in the SSM Parameter
/aft/config/aft/version)Bug Description A third party created an AFT management account in our AWS organization, with the plan to later migrate the local state to a remote state. This has never happened and the third party is now gone. This seems to leave us unable to update the AFT account through our desired IaC path.
I would like to revert this AFT deployment and start over. I assume I can just decomission the account and just deploy AFT again, but I'm not entirely sure if this could create potential conflicts. I wasn't able to find any official guidance on this.
To Reproduce Steps to reproduce the behavior: