Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Stuck decommissioning a landing zone

0

I tried to destroy a cloudformation stack that was used to commission a landing zone. The landing zone was commissioned via a CDK stack (I normally only deploy via CDK). And deployed (correctly???). But I then read that this was only for experts and this is my first experience with a landing zone, so I decided to undeploy (CDK destroy). It seems that my dependencies where wrong and that permissions were removed from the landing zone accounts before the decommissioning was complete. I have now trying many different Cloudformation based and manual fixes, and I am pretty sure I have made things worse. I have read the various posts on cleaning up a failed deployment, but I am past this point I cannot complete the decommissioning, I actually believe that the the clean up is complete but Control Tower does not know it.

I have this error message in the console.

"AWS Control Tower has failed to decommission your landing zone. An error occurred while decommissioning your landing zone: AWS Control Tower is unable to assume the AWSControlTowerExecution role in the account: *********. Add the role to your account if it's not present, and try again."

I 'believe' I have fixed this problem, but when I select retry, nothing seems to happen.

So I am stuck, can anyone help?

Topics
Management & Governance
Tags
AWS CloudFormationAWS Account ManagementAWS Control Tower
Language
English
asked 2 months ago58 views
2 Answers
0

This is a challenging situation that can occur when the decommissioning process for an AWS Control Tower landing zone is interrupted or when changes are made outside of AWS Control Tower's management flow.

Based on your description, it sounds like you've encountered a state where Control Tower believes it needs to continue the decommissioning process but can't proceed because it's missing the necessary permissions or roles.

Here are some steps to try resolving this issue:

  1. First, verify that the AWSControlTowerExecution role exists in the account mentioned in the error message and has the correct permissions. If it doesn't exist, you'll need to recreate it.

  2. If you've already fixed the role issue but the "retry" button isn't working, this could indicate that Control Tower's metadata is in an inconsistent state.

  3. Try using the AWS CLI to decommission the landing zone instead of the console:

aws controltower delete-landing-zone --landing-zone-identifier "<your-landing-zone-arn>"

  1. If you're still encountering issues, check if there are any CloudFormation stacks with termination protection enabled. You may need to disable termination protection on these stacks before proceeding.

  2. Look for any remaining AWS Backup baselines that might be blocking the decommissioning process. If you had AWS Backup enabled on any OUs that were subsequently removed, this could be causing the issue.

If none of these steps resolve your issue, you'll likely need to open a support case with AWS. This is often the most effective solution for situations where Control Tower's metadata is in an inconsistent state. AWS Support can help clean up the metadata references and allow you to complete the decommissioning process.

Remember that after decommissioning, some resources like S3 buckets and CloudWatch Logs log groups will remain and need to be manually deleted. Also, certain IAM roles and policies will need to be removed from the management account before you can set up another landing zone.
Sources
Removed OU with enabled AWS Backup blocks any operations on Control Tower's Landing Zone | AWS re:Post
Decommission your landing zone with APIs - AWS Control Tower
Decommission an AWS Control Tower landing zone - AWS Control Tower
Setup after decommissioning a landing zone - AWS Control Tower

answered 2 months ago
0

What you'll likely need to do is perform a reset on your landing zone to ensure it's back to it's baseline configuration. This is done via AWS CLI and the command details can be found here: https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-reset.html

After that is done, you should then be able to decommission the landing zone (assuming you resolved the issue with the missing AWSControlTowerExecution role. That role is critical as it's the one the Control Tower service uses to take action across accounts in your Org.)

AWS
EXPERT
answered 2 months ago
AWS
EXPERT
reviewed 22 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content