Stack Set fails after accounts became suspended

Describe the bug Stack set operations fails due to terminated / suspended accounts.

To Reproduce Assuming following organization:

Root
- DEV
-- Account 1 (governed with control tower)

Following manifest:

---
region: eu-central-1
version: 2021-03-15

resources:
  - name: rules
    deploy_method: stack_set
    resource_file: templates/rules.template
    deployment_targets:
      organizational_units:
        - DEV
    regions:
      - eu-central-1

Now the account ‘Account 1’ gets terminated, meaning the accounts is removed from control tower (=the corresponding provisioned product get deleted). This action moves the account from the origin OU to the root OU and deletes all control tower specific resources, e.g. AWSControlTowerExection role, so the stack set cannot perform any operation anymore, which lets the stack set fail.

Expected behavior The stack set detects the control tower termination of the account and removes the corresponding stack instance, like it would be with auto-deployment mode. Alternatively, for terminated accounts the stack instance could be removed with the options “–retain-stack” in case the required roles are not there anymore.

What would be right order to terminate an AWS account in combination with CT customization framework? E.g.

1. move account to SUSPENDED OU
2. run CT customizations (so the stack instance get removed)
3. terminate CT for account
4. close account

?

Please complete the following i nformation about the solution:

• Version 2.1.0
• Region: eu-central-1
• Was the solution modified from the version published on this repository? NO
• If the answer to the previous question was yes, are the changes available on GitHub?
• Have you checked your service quotas for the sevices this solution uses? YES
• Were there any errors in the CloudWatch Logs? NO