search

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html
Apache License 2.0
360 stars 205 forks source link

Stack Set fails after accounts became suspended #86

Open hitty5 opened 2 years ago

hitty5 commented 2 years ago

Describe the bug Stack set operations fails due to terminated / suspended accounts.

To Reproduce Assuming following organization:

Root
- DEV
-- Account 1 (governed with control tower)

Following manifest:

---
region: eu-central-1
version: 2021-03-15

resources:
  - name: rules
    deploy_method: stack_set
    resource_file: templates/rules.template
    deployment_targets:
      organizational_units:
        - DEV
    regions:
      - eu-central-1

Now the account 'Account 1' gets terminated, meaning the accounts is removed from control tower (=the corresponding provisioned product get deleted). This action moves the account from the origin OU to the root OU and deletes all control tower specific resources, e.g. AWSControlTowerExection role, so the stack set cannot perform any operation anymore, which lets the stack set fail.

Screenshot 2022-01-05 132856

Expected behavior The stack set detects the control tower termination of the account and removes the corresponding stack instance, like it would be with auto-deployment mode. Alternatively, for terminated accounts the stack instance could be removed with the options "--retain-stack" in case the required roles are not there anymore.

What would be right order to terminate an AWS account in combination with CT customization framework? E.g.

  1. move account to SUSPENDED OU
  2. run CT customizations (so the stack instance get removed)
  3. terminate CT for account
  4. close account

?

Please complete the following i nformation about the solution:

rmsilva1973 commented 2 years ago

Perhaps feature request #90 might address this issue somewhat

rakshb commented 2 years ago

@hitty5 Hello, we have added this issue to our backlog.

dlahn commented 1 year ago

Is there a workaround for this? We have some closed accounts and our pipeline is failing because of it.

hitty5 commented 1 year ago

@hitty5 Hello, we have added this issue to our backlog.

@rakshb You need to eliminate the "AWS Control Tower" provisioned product in service catalog before you close an account, so the accounts gets dropped from the organization and the pipeline is not recognizing suspended account anymore. Hence, suspended account are not touched by the pipeline. In your case I guess you need to reopen the closed account and remove the from service catalog.

dlahn commented 1 year ago

Is there any other way? We realised this a bit late, and we have some accounts that were closed many months ago which can't be recovered.

hitty5 commented 1 year ago

Since AWS control tower customizations uses AWS stack sets you can try to delete the stack instances of the affected accounts manually.