The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file which enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.
Which State did the Main State Machine Fail in: Phase4
We need a fonctionnal way to proceed for removing and close account with VPC Spoke from ASEA. We have steps to remove the biggest part of it, but with many errors and the VPC Spoke stays attached to all the R53 Hosted zone, even after it was deleted.
VPC Spoke are declared in account, not in OU.
Failure Info
Error removng the VPC from the R53 Hosted zone :
When removing VPC Spoke, the state machine even in success has error while removing the attachment from the Hosted zone
AccessDenied: User: arn:aws:sts:::assumed-role/PBMMAccel-PipelineRole/temporary is not authorized to perform: route53:DisassociateVPCFromHostedZone on resource: because no resource-based policy allows the route53:DisassociateVPCFromHostedZone action
See the example config segment for an account with VPC Spoke
[Uploading account_exemple_vpcspoke.json…]()
(not the full config for confidentiality reason, I will pass this to our AWS contact which is aware of this problem)
Steps To Reproduce
Steps to remove VPC Spoke from accounts :
Remove dependencies from ASEA config file (TGW and ALB if there is one declared) and execute the state machine ASEA with full Apply (section TGW of the spoke VPC, ALB if there is one declared).
After this first step, R53 hosted zone are still attached to the spoke VPC. Kind of strange since sandbox VPC are not attached to TGW and are not in Endpoint, I was expecting the attachment to be remove as a sandbox VPC would be. Take note that this first step is optionnal, I have try with and without and the same error occurs later.
Remove Deletion Protection from the cloud formation « PBMMAccel--Phase4-RulesAsscociation1 » in the account where the VPC was declared. Otherwise, the state machine will fail later.
Remove the VPC from the account in the config file and execute the state machine ASEA with overrides parameter for "ov-acct-vpc" et "ov-acct-subnet" (note : Full Apply was tested and is not working for this step, VPC isn't remove correctly in this step and we would have to put in back in the config and start again)
After this step, ASEA failed at the stack « PBMMAccel--Phase4-RulesAsscociation1 » without the account with VPC Spoke : the custom ressources failed to delete, because it does not return the result corretly. Because it goes in "failed to delete", there is nothing we can change in ASEA to resolve the state machine by himself.
Delete manually the CloudFormation stack "PBMMAccel--Phase4-RulesAsscociation1" and to ignore the custom ressource. After this, we recreate a stack with the same name with a dummy ressource.
Execute the state machine ASEA again. After this last step, the Spoke VPC is remove and ASEA is completed successfully.
Expected behavior
We are able to remove shared VPC with one execution without errors in one execution.
I expected a similar result while removing VPC Spoke, maybe in two steps for dependencies, without errors and manual action on the stack.
Additional context
VPC Spoke declared in account, not in OU, and connected with TGW
We need a fonctionnal way to proceed for removing and close account with VPC Spoke from ASEA. We have steps to remove the biggest part of it, but with many errors and the VPC Spoke stays attached to all the R53 Hosted zone, even after it was deleted. VPC Spoke are declared in account, not in OU.
Failure Info
Error removng the VPC from the R53 Hosted zone : When removing VPC Spoke, the state machine even in success has error while removing the attachment from the Hosted zone AccessDenied: User: arn:aws:sts:::assumed-role/PBMMAccel-PipelineRole/temporary is not authorized to perform: route53:DisassociateVPCFromHostedZone on resource: because no resource-based policy allows the route53:DisassociateVPCFromHostedZone action
See the example config segment for an account with VPC Spoke [Uploading account_exemple_vpcspoke.json…]() (not the full config for confidentiality reason, I will pass this to our AWS contact which is aware of this problem)
Steps To Reproduce Steps to remove VPC Spoke from accounts :
Expected behavior We are able to remove shared VPC with one execution without errors in one execution. I expected a similar result while removing VPC Spoke, maybe in two steps for dependencies, without errors and manual action on the stack.
Additional context VPC Spoke declared in account, not in OU, and connected with TGW