- Newest
- Most votes
- Most comments
In such caes, where AWS control tower fails, you'd need to take few steps very precisely otherwise you may end up in locking situation where you'll start seeing multiple constraint violation error.
I've worked on cleanup in past and based on that I'm providing you three resources, which will help you cleanup the setup done by control tower and then create one as fresh. you need to follow them in the same order:
Parent Document, that you should go through first, Walkthrough: Decommission an AWS Control Tower Landing Zone
Comment here if you have additional questions, happy to help.
Hope you find this useful.
Abhishek
Hello Nabil,
As you might know, the AWS Control Tower home Region must be the same as the IAM Identity Center (hereafter AWS SSO) Region.
If you are having issues during the LZ installation and your AWS SSO is already set up in other region, you should decommission LZ as secondabhi_aws mentioned, and then set it up again in the same region.
Here're some documentations that might be helpful for you.
- Considerations for AWS IAM Identity Center: https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-prereqs.html#sso-considerations
- Things to Know About IAM Identity Center Accounts and AWS Control Tower: https://docs.aws.amazon.com/controltower/latest/userguide/sso.html#sso-good-to-know
If you'd like to set up the AWS SSO in other regions, you should delete the previous setup before reconfiguration. One thing you have to keep it in mind is when an AWS SSO configuration is deleted, all the data in that configuration is deleted and can't be recovered. So, you should backup the configurations first. The AWS SSO current doesn't provide a backup feature yet, so you need to gather the configuration information manually. This following link might be useful to export basic information such as Users, Groups and their Assignments from the current AWS SSO. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/export-a-report-of-aws-iam-identity-center-identities-and-their-assignments-by-using-powershell.html
After that, delete the AWS SSO. Please refer to the link.
- Delete your IAM Identity Center configuration: https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html#delete-config
I hope this will work well. :)
Hello,
Thanks for your help. I removed the identity center configured in Paris and then let the control tower finished the deploiement. Then I removed the control tower and identity center, cleaned the accounts. After I deployed Control Tower and Identity Center in the same region and it works.
Thanks again for your help.
I was happy to help you. :)
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 4 months ago
I seem to have ended up in the stateful multiple constraint violation scenario @secondabhi_aws mentioned.
My LZ failed to setup, and I decommissioned the Audit and Logs accounts that process had created, before trying again to deploy the LZ. Now almost 3 mo later, Control Tower can't successfully retry because it insists that those accounts are the ones it will use for those purposes, but since those accounts already are scheduled for deletion I want to tell it to create new accounts. I have completed all of the steps possible, as shown in all of the documents Abhi linked. Any other suggestions how I can get CT out of this broken state? What will happen at the end of my 90d waiting period for those accounts to be decommissioned?