Issue with AWS Control Tower Decommissioning and StackSet Deletion
Hello all, It all began with the accidental deletion of the Control Tower Stack. Consequently, I proceeded to initiate the decommissioning process, anticipating a fresh start upon its completion. Unfortunately, the decommissioning process failed to finish and instead produced an error message saying
"AWS Control Tower has failed to decommission your landing zone. An error occurred while decommissioning your landing zone: An error occurred while setting up your landing zone. Try again later. If this error persists, contact AWS Support."
leaving all this behind, I then proceeded to manually remove AWS Control Tower resources by referring AWS documentation page. steps I did are... 1- Detach and Delete SCPs [ was successfully deleted] 2- Delete StackSets and Stacks [ was successfully deleted except StackSet named: AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE ] below is the Status Reason for each AWS Account a) Account ************ should have 'AWSControlTowerExecution' role with trust relationship to Role 'service-role/AWSControlTowerStackSetRole'. b) ResourceLogicalId:ControlTowerServiceRole, ResourceType:AWS::IAM::ServiceLinkedRole, ResourceStatusReason:Resource of type 'AWS::IAM::ServiceLinkedRole' with identifier 'AWSServiceRoleForAWSControlTower' has a conflict. Reason: SLR [AWSServiceRoleForAWSControlTower] is in use by other resources: [[RoleUsageType(Region=us-east-2, Resources=[arn:aws:organizations::***********:account/-********/**********])]]..
I find myself in a challenging situation and would appreciate assistance or guidance on how to proceed. Thanks in advance.
- 최신
- 최다 투표
- 가장 많은 댓글
Hey Meden,
you could check the following:
"a)" by checking if the AWSControlTowerExecution-role exists in that account and if not just create it manually. Then try again.
"b)", it looks like the role is still in use by the resource you censored. Analyze that resource, delete the controltower configuration in that resource and then try again.
If you are stuck, I would book a developer supportplan for 30$ for one month and let aws support analyze this issue from the backend in your case.
Sincerely Heiko
Hello Heiko,
I sincerely appreciate the prompt response. Fortunately, I resolved the situation by closing the account from the AWS organization utilizing the 'AWS::IAM::ServiceLinkedRole' with the identifier 'AWSServiceRoleForAWSControlTower'. However, I realized I might have overlooked properly deleting Amazon S3 Buckets in the Log Archive Account before closing the account. I assumed they would vanish after the 90-day account deletion deadline. If I'm mistaken, please correct me. Nonetheless, thank you for your guidance and the solution you provided.