Resources not removed when changing/deleting from manifest about aws-control-tower-customizations HOT 21 OPEN

I agree this issue is very problematic, counter-intuitive and against general IaC principals. If you add an account or OU to the manifest file and an SCP or CFN template is applied to it, removing the account or OU from the manifest file should cause those resources to be removed. This is how, for example, Terraform or Chef handle things and maintain idempotency: the diff from the existing state is always applied. This issue forces us to manually go in and remove resources that were previously applied with this stack, and at scale this can be extremely time-consuming and error-prone.

from aws-control-tower-customizations.

For clarification:

What is already supported?

For SCP resources in manifest :

• Create and update SCP policy.
• Add and update Organizational Units (OU) list

For CloudFormation resources

• Add, update and delete accounts
• Add, update and delete regions
• Update template and/or parameters.

What is on the roadmap?

For SCP resources in manifest :

• Delete OU name should remove the OU from the SCP targets. (this GitHub issue/feature request)

For CloudFormation resources

• Deletion of the stack set (suggested in this this GitHub ticket)

from aws-control-tower-customizations.

We've just published v2.5.0 containing an opt-in flag to enable Stack Set resource deletion.

from aws-control-tower-customizations.

My apology for the late update on this.

Tested on version v2.5.1 and flag enable_stack_set_deletion: true works as described for the StackSet resources which is great!

This config parameter name also suggests that it was only meant for StackSets and according to my testing Service Control Policies (SCP) type of resources are still missing similar feature. That would be great if similar feature would be there for SCPs as well!

But anyways, many thanks to you guys from University of New South Wales for getting it done!

from aws-control-tower-customizations.

It has been almost two years since this was reported. Do you have any updates on the progress? It's a rudimentary feature without which this solution isn't very usable beyond the initial set up.

from aws-control-tower-customizations.

Is this on the roadmap? This is a huge limitation and should be mentioned in the docs.

Also a targeted time frame would be good. Some other partners have already built their own customization solutions because deleting objects cleanly is not supported.

from aws-control-tower-customizations.

Hi all - This feature is on our roadmap and will be evaluated a future release. Thanks!

from aws-control-tower-customizations.

Yeah this is really bad. Every time we remove an account from our Control Tower the pipeline subsequently fails and we have to go in and manually remove the Stack Set instances for the account that no longer exists. In retrospect we should have used Terraform from the beginning.

from aws-control-tower-customizations.

from aws-control-tower-customizations.

@dustnic The current version does not support the deletion feature at the stack set level. If an OU, account or region is removed from the CFN resource the pipeline should delete the stack instances.

from aws-control-tower-customizations.

hi Lalit. point taken re: not supporting deletion feature at stack set level. I tested by changing the list of OUs a resource was deployed to from (A,B) to (A,C) the resource was deployed to C, but not removed from B

from aws-control-tower-customizations.

So what I do is comment out the OU or account and that removes the stack. However, there has to be at least one left in the section and thus, it can't be deleted.

@groverlalit I suggest using the "deploy_method = remove" in a future version. That would be great. Thoughts?

from aws-control-tower-customizations.

Is this on the roadmap?

from aws-control-tower-customizations.

I also believe it should be optional to select retain policy in manifest for each stack. I causes some misconception that a manual deletion procedure is neccesary when removing stacks from manifest file. In my understanding it goes against the IaC idea when you have to make sure the stacks is in sync with the Stacksets.

from aws-control-tower-customizations.

+1, one more customer looking for this feature. As per customer, it is not completely idempotent without this capability.

from aws-control-tower-customizations.

Is this on the roadmap? This is a huge limitation and should be mentioned in the docs.

from aws-control-tower-customizations.

It has been 2 years since this was created. This is fundamental functionality.

from aws-control-tower-customizations.

Hi @groverlalit
Any plans to implement this anytime soon?

from aws-control-tower-customizations.

Thanks for the feedback, we understand the pain point here. This is on our roadmap for medium-term implementation, we will circle back with an update as we get closer to deploying a solution.

from aws-control-tower-customizations.

It has been almost two years since this was reported. Do you have any updates on the progress? It's a rudimentary feature without which this solution isn't very usable beyond the initial set up.

Check out my method: #24 (comment)

from aws-control-tower-customizations.

MANY THANKS GUYS!!!
YOU'RE THE BEST!!!

I'll be trying it out somewhere soon and will come back how it went.

from aws-control-tower-customizations.