Clean-up resources when an account is removed

[fjromerom]

Hi team,

AFT manages the creation of the account as well as the creation of the baseline resources, however it does not manage the deprovisioning when an account will be suspended. If an account is removed from the account-request repository, this is removed from the DynamoDB table aft-request however not from aft-request-metadata. The CodePipeline pipeline created is not removed either.

My expectation of AFT is to perform the following actions:

• Remove any resource related with the account such as the CodePipeline pipeline.
• Unregister the account from AWS Control Tower.

What's the plan to support deprovision of an account?

Thanks, Francisco

[balltrev]

We do call out this process in our public docs, but I do see an opportunity here to automate some of the steps that you're calling out (eg: CodePipelines).

I'll make a backlog to track these improvements to the account removal process.

[stumins]

Hi @fjromerom,

AFT 1.8.0 now removes an account's customization pipeline when the account is removed from the AFT request repo. I've created https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/301 to track the enhancement request to un-enroll the account from Control Tower when the account request is removed.

Thanks again for the feedback!

[pursachi]

when an account is removed from AFT, it doesn't destroy resources created by the customization pipeline, it however deletes the pipeline itself. Any plans to include this feature?