Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AWS Control Tower managed accounts #380

Open
fdeswardt opened this issue Sep 29, 2020 · 7 comments
Open

Support AWS Control Tower managed accounts #380

fdeswardt opened this issue Sep 29, 2020 · 7 comments

Comments

@fdeswardt
Copy link

Is your feature request related to a problem? Please describe.
Yes, the aws-nuke template included in DCE blows away several Control Tower resources e.g. AWS SSO roles and SAML provider, StackSet roles and stacks, OrganizationAccountAccessRole, and attempts to "nuke" Config configurations that are prevented by SCPs attached to the OU.

Describe the solution you'd like
Updated aws-nuke template to include filters for the AWS Control Tower and AWS Organizations roles and configurations.

Describe alternatives you've considered
Create custom aws-nuke template and overide the default template though requires additional steps in deployments.

Additional context
During the DCE presentation at re:Invent 2019 it was mentioned that "there is no reason why DCE will not work with Control Tower managed accounts" though the default aws-nuke template will most definitely not work with CT managed accounts, nor with accounts that are part of AWS Organization with all features enabled, the required state when deploying Control Tower.
@eschwartz
Copy link
Contributor

@fdeswardt you can customize the aws-nuke template

https://dce.readthedocs.io/en/latest/howto.html#account-resets

@fdeswardt
Copy link
Author

Hi @eschwartz I'm aware that I can customize awe-nuke default template though want to know if there are more templates to choose from eg. template that will preserve AWS Organization resources like AWS SSO, and another template for Control Tower resources?

If not, can I contribute this to the dce project? If so, should I modify the default aws-nuke template with more filters, or add new template yaml files for different scenarios?

@eschwartz
Copy link
Contributor

There are not additional templates available, no.

can I contribute this to the dce project?

I'll defer to the project maintainers on that one.

@thebigcosinus
Copy link

Hi, Do you have a valid awsnuke template for control tower organizations

@mmunem
Copy link

mmunem commented Jul 14, 2022

Hi, Do you have a valid awsnuke template for control tower organizations

Try mine - works fine

https://github.com/mmunem/dcect/blob/master/cmd/codebuild/reset/default-nuke-config-template.yml

@mavogel
Copy link

mavogel commented Oct 2, 2022

You might want to extend the filter-presets with the one for controltower as well: rebuy-de/aws-nuke#711 (comment)

@hsdp-smulford
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@thebigcosinus @eschwartz @mavogel @fdeswardt @mmunem @hsdp-smulford