QA: How to experiment with this stack?

[kaihendry]

For example how do you clean up your accounts and such?

That's the biggest question / block in my mind, to even trying this out.

[OlafConijn]

To use this stack with an existing AWS Organization (be it an existing sandbox org or otherwise), you should be able to get started by running either the org-formation init or org-formation init-pipeline command. the only side effect in your AWS organization is the creation of a bucket that is used to track state, from here on you can incrementally add feature like accounts, SCPs or tasks, while growing confidence in the tool.

If you want to set up a new (sandbox) organisation you could take a look the reference project. Accounts that are created need to be manually deleted (AWS doesn't offer an API for this). for a sandbox/dev organisation I think it is possible to test most of what you would like to do with a small number of accounts (my guess would be < 5 accounts: log-archive, security, organization-build and organization-management account).

does that help to get started? we also have a slack is worthwhile to join and learn from others.

[rob3c]

For example how do you clean up your accounts and such?

That's the biggest question / block in my mind, to even trying this out.

@kaihendry Although AWS encourages using multiple accounts as a best practice these days and their presenters love to mention how their larger customers use hundreds - or even thousands - of them, AWS does not provide any mechanism that I know of for automating account deletion. (There's at least one proof-of-concept hack floating around online, but I saw it more as entertaining reading that highlights the problem rather than anything to take seriously in practice.) It's a painful, manual process, no matter which solution you use to manage AWS Organizations (including Control Tower).

Account deletion aside, you can use the --perform-cleanup flag when using perform-tasks to have org-formation delete most stacks with resources that no longer have bindings. There's also a delete-stacks command. As with any CloudFormation usage, you'll need to be mindful of ordering issues and resource types that stick around by default in various ways (e.g. S3 buckets needing to be emptied before deletion).

I wish there were AWS tooling that would clean up everything perfectly under all circumstances, but I haven't seen it yet. org-formation isn't perfect, but it solves major pain points for us with some very nice features.

[StoneColdCodez]

They just announced an api for closing accounts on 3/30/2022. https://aws.amazon.com/about-aws/whats-new/2022/03/aws-organizations-central-account-closure-lifecycle-management/

https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html

[rob3c]

Before seeing the details, I was really interested in the CloseAccout API. Unfortunately, the 10% limit for closing active accounts in a rolling 30 day window is very restrictive, plus there's still the 90 day 'grace period'. A bit disappointing, but I guess it's still progress! Maybe after AWS gets an idea of the typical load on the API and such, they'll broaden its usefulness.

[JonHolman]

@rob3c agreed, I've hit the 10% cap the last three months and I'm still trying to cleanup clutter from my previous experiments.