Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Sep 12, 2025
1 parent 630e9b8 commit 22e11e1
Showing 1 changed file with 39 additions and 29 deletions.
68 changes: 39 additions & 29 deletions aws/documentation/account-decommission/decommission.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@ This assumes that all VPC-provisioned resources have been removed.

* Pre-check

- [ ] Validate approval to remove account
> This document describes prerequisite steps before decommissing an AWS account. [here](https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/account-decommissioning).
- [ ] Validate approval to remove account. Follow the process defeined [here](https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/account-decommissioning).
- [ ] Update [ACCOUNTS.md](https://github.e.it.census.gov/terraform/cloud-information/blob/master/aws/info/ACCOUNTS.md) to indicate the intention to decomission account.
- [ ] Destroy VPC provisioned resources
- [ ] Destroy non-VPC provisioned resources

* Actitivities

Expand All @@ -29,6 +30,33 @@ This assumes that all VPC-provisioned resources have been removed.
1. [Record the accounts as decomissioned](#step-13-record-the-accounts-as-decomissioned)
1. [Request Decommission of the reseller](#step-14-request-decommission-of-the-reseller)

# Pre-Check

## Complete account decomission validation document

## Record the accounts to be decomissioned in ACCOUNTS.md

In the repository `cloud-information` and directory `/aws/info`, update the file `ACCOUNTS.md` and move the account details into the section labeled
`Decommissioned AWS Accounts`. Add the date of the decommission at the end, as shown in this example:

```script
| Account Number | Account Name | Use | Tennant | Registered Email Address | Console URL | Date |
|---|---|---|---|---|---|---|
| 576208090170 | ma24-ew | Enterprise EW EDL Internal Compute | AWS East/West | csvd.aws+ma24-ew@census.gov | https://us-east-2.console.aws.amazon.com/console | 2024-09-20 |
| 198886018595 | ma24-gov| Enterprise GovCloud EDL Internal Compute | AWS GovCloud | | https://ma24-gov-edl.signin.amazonaws-us-gov.com/ | 2024-09-20 |
```

Also add a comment to the end of the Changelog:

```script
* 2024-09-20
* move ma24-{ew,gov} to decommissioned
```

## Destroy VPC created resoures

## Destroy non-VPC created resoures

# Step 1: Remove SSO Access

Check that the account has no user-based sso configuration. In each managemement account for the respective organization, ent-ew(109223337795-censusaws), and one of ent-gov(252903981224-ma5-gov) or lab-gov(243219719746-lab-gov-management-nonprod),
Expand Down Expand Up @@ -954,33 +982,6 @@ exist, for infrastructure things. This is fine.
We do not need to restore the account to a pristine state, as all of the resources will be deleted within 30 days of
the request to remove the account.

# Step 13: Record the accounts as decomissioned

In the repository `cloud-information` and directory `/aws/info`, update the file `ACCOUNTS.md` and move the account details into the section labeled
`Decommissioned AWS Accounts`. Add the date of the decommission at the end, as shown in this example:

```script
| Account Number | Account Name | Use | Tennant | Registered Email Address | Console URL | Date |
|---|---|---|---|---|---|---|
| 576208090170 | ma24-ew | Enterprise EW EDL Internal Compute | AWS East/West | csvd.aws+ma24-ew@census.gov | https://us-east-2.console.aws.amazon.com/console | 2024-09-20 |
| 198886018595 | ma24-gov| Enterprise GovCloud EDL Internal Compute | AWS GovCloud | | https://ma24-gov-edl.signin.amazonaws-us-gov.com/ | 2024-09-20 |
```

Also add a comment to the end of the Changelog:

```script
* 2024-09-20
* move ma24-{ew,gov} to decommissioned
```


In the respective organization management accounts, we will be moving the YAML files into a directory called
`infrastructure/global/organizations/decomissioned-accounts/`, but not until after the accounts have been officially
removed, as TF actions in the account directory of the management repo will try to delete them, and that's not something
that works (because one cannot delete an account without some alternate payer information).

This is where we will notify the reseller of the accounts to be removed.

# Step 14: Request Decommission of the reseller

1. change `decommission` to `true` in ew YAML file. This removes the specific account from the map, and will perform the account
Expand Down Expand Up @@ -1031,6 +1032,12 @@ git grep ditd-partnerportal-prod-ew
```
Commit, push and PR if you had to remove the account from YAML files.

In the respective organization management accounts, we will be moving the YAML files into a directory called
`infrastructure/global/organizations/decomissioned-accounts/`, but not until after the accounts have been officially
removed, as TF actions in the account directory of the management repo will try to delete them, and that's not something
that works (because one cannot delete an account without some alternate payer information).

This is where we will notify the reseller of the accounts to be removed.

# Notes

Expand Down Expand Up @@ -1124,3 +1131,6 @@ IEB,SCT/Cloud Infrastructure Cleanup - validate complete

* 1.0.8 -- 2025-09-11
- add placeholder for remove apptio

* 1.0.9 -- 2025-09-12
- move info/ACCOUNTS.md higher in the process

0 comments on commit 22e11e1

Please sign in to comment.