search

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html
Apache License 2.0
361 stars 205 forks source link

CT Console should display if another account is currently being unmanaged or another execution is in progress #203

Open Waqiah opened 1 week ago

Waqiah commented 1 week ago

Is your feature request related to a problem? Please describe. According to the documentation, it is a known limitation that only one account can be unmanaged at a time, however when unmanaging an account via the CT Console via the 'Unmanage Account' button, we are not made aware that another account is currently being unmanaged, instead the Console displays "You requested AWS Control Tower to stop managing this account. AWS Control Tower no longer fully manages the account" and after 5-10 mins the account remains as 'Enrolled'.

This is a cause for concern as we do not understand why it is remaining in the 'Enrolled' state and we are then left to retry multiple times.

Looking at CloudTrail, it was then seen that the reason why some of the "DeregisterManagedAccount" APIs failed was because of a ConflictException where another account was being unmanaged at that time.

It would be helpful to be given an indicator that another execution is occurring when trying to unmanage an account.

Describe the feature you'd like When unmanaging an account via the console, a message (for example in the banner) should be displayed if there is currently another account that is being unmanaged, letting us know to wait a certain amount of time before retrying the operation.

sk-at-amazon commented 5 days ago

Thanks for reporting the issue. We’ve added this to our backlog.