aws-control-tower-customizations icon indicating copy to clipboard operation
aws-control-tower-customizations copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

Stack Set fails after accounts became suspended

Open hitty5 opened this issue 3 years ago • 6 comments

Describe the bug Stack set operations fails due to terminated / suspended accounts.

To Reproduce Assuming following organization:

Root
- DEV
-- Account 1 (governed with control tower)

Following manifest:

---
region: eu-central-1
version: 2021-03-15

resources:
  - name: rules
    deploy_method: stack_set
    resource_file: templates/rules.template
    deployment_targets:
      organizational_units:
        - DEV
    regions:
      - eu-central-1

Now the account 'Account 1' gets terminated, meaning the accounts is removed from control tower (=the corresponding provisioned product get deleted). This action moves the account from the origin OU to the root OU and deletes all control tower specific resources, e.g. AWSControlTowerExection role, so the stack set cannot perform any operation anymore, which lets the stack set fail.

Screenshot 2022-01-05 132856

Expected behavior The stack set detects the control tower termination of the account and removes the corresponding stack instance, like it would be with auto-deployment mode. Alternatively, for terminated accounts the stack instance could be removed with the options "--retain-stack" in case the required roles are not there anymore.

What would be right order to terminate an AWS account in combination with CT customization framework? E.g.

  1. move account to SUSPENDED OU
  2. run CT customizations (so the stack instance get removed)
  3. terminate CT for account
  4. close account

?

Please complete the following i nformation about the solution:

  • [ ] Version 2.1.0
  • [ ] Region: eu-central-1
  • [ ] Was the solution modified from the version published on this repository? NO
  • [ ] If the answer to the previous question was yes, are the changes available on GitHub?
  • [ ] Have you checked your service quotas for the sevices this solution uses? YES
  • [ ] Were there any errors in the CloudWatch Logs? NO

hitty5 avatar Jan 05 '22 11:01 hitty5

Perhaps feature request #90 might address this issue somewhat

rmsilva1973 avatar Feb 09 '22 15:02 rmsilva1973

@hitty5 Hello, we have added this issue to our backlog.

rakshb avatar Feb 21 '22 19:02 rakshb

Is there a workaround for this? We have some closed accounts and our pipeline is failing because of it.

dlahn avatar Oct 07 '22 19:10 dlahn

@hitty5 Hello, we have added this issue to our backlog.

@rakshb You need to eliminate the "AWS Control Tower" provisioned product in service catalog before you close an account, so the accounts gets dropped from the organization and the pipeline is not recognizing suspended account anymore. Hence, suspended account are not touched by the pipeline. In your case I guess you need to reopen the closed account and remove the from service catalog.

hitty5 avatar Oct 10 '22 07:10 hitty5

Is there any other way? We realised this a bit late, and we have some accounts that were closed many months ago which can't be recovered.

dlahn avatar Oct 14 '22 13:10 dlahn

Since AWS control tower customizations uses AWS stack sets you can try to delete the stack instances of the affected accounts manually.

hitty5 avatar Oct 17 '22 11:10 hitty5