From 22e11e1d69ada10cac617f311b4e655b141ba696 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 12 Sep 2025 08:20:33 -0400 Subject: [PATCH] update --- .../account-decommission/decommission.md | 68 +++++++++++-------- 1 file changed, 39 insertions(+), 29 deletions(-) diff --git a/aws/documentation/account-decommission/decommission.md b/aws/documentation/account-decommission/decommission.md index 0d56e25a..b1e72f24 100644 --- a/aws/documentation/account-decommission/decommission.md +++ b/aws/documentation/account-decommission/decommission.md @@ -8,9 +8,10 @@ This assumes that all VPC-provisioned resources have been removed. * Pre-check -- [ ] Validate approval to remove account - > This document describes prerequisite steps before decommissing an AWS account. [here](https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/account-decommissioning). +- [ ] Validate approval to remove account. Follow the process defeined [here](https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/account-decommissioning). +- [ ] Update [ACCOUNTS.md](https://github.e.it.census.gov/terraform/cloud-information/blob/master/aws/info/ACCOUNTS.md) to indicate the intention to decomission account. - [ ] Destroy VPC provisioned resources +- [ ] Destroy non-VPC provisioned resources * Actitivities @@ -29,6 +30,33 @@ This assumes that all VPC-provisioned resources have been removed. 1. [Record the accounts as decomissioned](#step-13-record-the-accounts-as-decomissioned) 1. [Request Decommission of the reseller](#step-14-request-decommission-of-the-reseller) +# Pre-Check + +## Complete account decomission validation document + +## Record the accounts to be decomissioned in ACCOUNTS.md + +In the repository `cloud-information` and directory `/aws/info`, update the file `ACCOUNTS.md` and move the account details into the section labeled +`Decommissioned AWS Accounts`. Add the date of the decommission at the end, as shown in this example: + +```script +| Account Number | Account Name | Use | Tennant | Registered Email Address | Console URL | Date | +|---|---|---|---|---|---|---| +| 576208090170 | ma24-ew | Enterprise EW EDL Internal Compute | AWS East/West | csvd.aws+ma24-ew@census.gov | https://us-east-2.console.aws.amazon.com/console | 2024-09-20 | +| 198886018595 | ma24-gov| Enterprise GovCloud EDL Internal Compute | AWS GovCloud | | https://ma24-gov-edl.signin.amazonaws-us-gov.com/ | 2024-09-20 | +``` + +Also add a comment to the end of the Changelog: + +```script +* 2024-09-20 + * move ma24-{ew,gov} to decommissioned +``` + +## Destroy VPC created resoures + +## Destroy non-VPC created resoures + # Step 1: Remove SSO Access Check that the account has no user-based sso configuration. In each managemement account for the respective organization, ent-ew(109223337795-censusaws), and one of ent-gov(252903981224-ma5-gov) or lab-gov(243219719746-lab-gov-management-nonprod), @@ -954,33 +982,6 @@ exist, for infrastructure things. This is fine. We do not need to restore the account to a pristine state, as all of the resources will be deleted within 30 days of the request to remove the account. -# Step 13: Record the accounts as decomissioned - -In the repository `cloud-information` and directory `/aws/info`, update the file `ACCOUNTS.md` and move the account details into the section labeled -`Decommissioned AWS Accounts`. Add the date of the decommission at the end, as shown in this example: - -```script -| Account Number | Account Name | Use | Tennant | Registered Email Address | Console URL | Date | -|---|---|---|---|---|---|---| -| 576208090170 | ma24-ew | Enterprise EW EDL Internal Compute | AWS East/West | csvd.aws+ma24-ew@census.gov | https://us-east-2.console.aws.amazon.com/console | 2024-09-20 | -| 198886018595 | ma24-gov| Enterprise GovCloud EDL Internal Compute | AWS GovCloud | | https://ma24-gov-edl.signin.amazonaws-us-gov.com/ | 2024-09-20 | -``` - -Also add a comment to the end of the Changelog: - -```script -* 2024-09-20 - * move ma24-{ew,gov} to decommissioned -``` - - -In the respective organization management accounts, we will be moving the YAML files into a directory called -`infrastructure/global/organizations/decomissioned-accounts/`, but not until after the accounts have been officially -removed, as TF actions in the account directory of the management repo will try to delete them, and that's not something -that works (because one cannot delete an account without some alternate payer information). - -This is where we will notify the reseller of the accounts to be removed. - # Step 14: Request Decommission of the reseller 1. change `decommission` to `true` in ew YAML file. This removes the specific account from the map, and will perform the account @@ -1031,6 +1032,12 @@ git grep ditd-partnerportal-prod-ew ``` Commit, push and PR if you had to remove the account from YAML files. +In the respective organization management accounts, we will be moving the YAML files into a directory called +`infrastructure/global/organizations/decomissioned-accounts/`, but not until after the accounts have been officially +removed, as TF actions in the account directory of the management repo will try to delete them, and that's not something +that works (because one cannot delete an account without some alternate payer information). + +This is where we will notify the reseller of the accounts to be removed. # Notes @@ -1124,3 +1131,6 @@ IEB,SCT/Cloud Infrastructure Cleanup - validate complete * 1.0.8 -- 2025-09-11 - add placeholder for remove apptio + +* 1.0.9 -- 2025-09-12 + - move info/ACCOUNTS.md higher in the process