Stack Set fails after accounts became suspended
See original GitHub issueDescribe the bug Stack set operations fails due to terminated / suspended accounts.
To Reproduce Assuming following organization:
Root
- DEV
-- Account 1 (governed with control tower)
Following manifest:
---
region: eu-central-1
version: 2021-03-15
resources:
- name: rules
deploy_method: stack_set
resource_file: templates/rules.template
deployment_targets:
organizational_units:
- DEV
regions:
- eu-central-1
Now the account ‘Account 1’ gets terminated, meaning the accounts is removed from control tower (=the corresponding provisioned product get deleted). This action moves the account from the origin OU to the root OU and deletes all control tower specific resources, e.g. AWSControlTowerExection role, so the stack set cannot perform any operation anymore, which lets the stack set fail.
Expected behavior The stack set detects the control tower termination of the account and removes the corresponding stack instance, like it would be with auto-deployment mode. Alternatively, for terminated accounts the stack instance could be removed with the options “–retain-stack” in case the required roles are not there anymore.
What would be right order to terminate an AWS account in combination with CT customization framework? E.g.
- move account to SUSPENDED OU
- run CT customizations (so the stack instance get removed)
- terminate CT for account
- close account
?
Please complete the following i nformation about the solution:
- Version 2.1.0
- Region: eu-central-1
- Was the solution modified from the version published on this repository? NO
- If the answer to the previous question was yes, are the changes available on GitHub?
- Have you checked your service quotas for the sevices this solution uses? YES
- Were there any errors in the CloudWatch Logs? NO
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:6
Top GitHub Comments
Perhaps feature request #90 might address this issue somewhat
Since AWS control tower customizations uses AWS stack sets you can try to delete the stack instances of the affected accounts manually.