Skip to content

Commit

Permalink
add placeholder for apptio
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Sep 11, 2025
1 parent 7b4af36 commit d6bf3e1
Showing 1 changed file with 27 additions and 21 deletions.
48 changes: 27 additions & 21 deletions aws/documentation/account-decommission/decommission.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,17 @@ This assumes that all VPC-provisioned resources have been removed.
1. [Remove SSO Access](#step-1-remove-sso-access)
1. [Check and Remove VPCs and related](#step-2-check-and-remove-vpcs)
1. [Integration: Remove DataDog](#step-3-integration-remove-datadog)
1. [Move account out of Organization OU to Decomission OU](#step-4-move-account-out-of-organization-ou-to-decomission-ou)
1. [Remove infrastructure/{region}](#step-5-remove-infrastructureregion)
1. [Remove Users](#step-6-remove-users)
1. [Remove common service accounts](#step-7-remove-common-service-accounts)
1. [Other common/ directories](#step-8-other-common-directories)
1. [Remaining things in common/ which will not be removed](#step-9-remaining-things-in-common-which-will-not-be-removed)
1. [Empty S3 Buckets](#step-10-s3-buckets)
1. [Final checks before requesting removal](#step-11-final-checks-before-requesting-removal)
1. [Record the accounts as decomissioned](#step-12-record-the-accounts-as-decomissioned)
1. [Request Decommission of the reseller](#step-13-request-decommission-of-the-reseller)
1. [Integration: Remove Apptio](#step-4-integration-remove-apptio)
1. [Move account out of Organization OU to Decomission OU](#step-5-move-account-out-of-organization-ou-to-decomission-ou)
1. [Remove infrastructure/{region}](#step-6-remove-infrastructureregion)
1. [Remove Users](#step-7-remove-users)
1. [Remove common service accounts](#step-8-remove-common-service-accounts)
1. [Other common/ directories](#step-9-other-common-directories)
1. [Remaining things in common/ which will not be removed](#step-10-remaining-things-in-common-which-will-not-be-removed)
1. [Empty S3 Buckets](#step-11-s3-buckets)
1. [Final checks before requesting removal](#step-12-final-checks-before-requesting-removal)
1. [Record the accounts as decomissioned](#step-13-record-the-accounts-as-decomissioned)
1. [Request Decommission of the reseller](#step-14-request-decommission-of-the-reseller)

# Step 1: Remove SSO Access

Expand Down Expand Up @@ -122,7 +123,7 @@ tf-destroy
In the case of shared VPCs, they tend to be allocated based on OU membership. Please check in the network account and see
if a VPC is explicitly shared to an account or OU.

# Step 3: Integration: Remove DataDog
# Step 3: Integration: Remove Datadog

Go to the management account for the organizatioon, into the DataDog stackset account-deployment. This should be done
before moving the account to the Decomission OU, as it will remove a service account.
Expand Down Expand Up @@ -163,8 +164,10 @@ rm -rf ma24-gov
1. Remove named entry (e.g., `ma24-gov`) from `ent-gov.profiles.txt` (or _{org}_.profiles.txt)
1. Add entry into `ent-gov.decommissioned.txt` (or _{org}_.decomissioned.txt)
1. Commit and push

# Step 4: Integration: Remove Apptio

# Step 4: Move account out of Organization OU to Decomission OU
# Step 5: Move account out of Organization OU to Decomission OU

Find the appropriate organziation account entry (in organizations.account.yml or accounts/{label}.yml). Change the `ou`
to `Decommission`. Example:
Expand Down Expand Up @@ -195,7 +198,7 @@ You may check the organizations to be sure it has moved it properly. This shoul

## Dedicated VPCs

# Step 5: Remove infrastructure/{region}
# Step 6: Remove infrastructure/{region}

This assumes all files from the various buckets have been handled, either moved someplace else, if necessary,
or deemed ready for removal. The process to move files will be documented separately later (when we run into that case).
Expand Down Expand Up @@ -601,7 +604,7 @@ rm -rf .terraform*
git commit -m'decomission infrastructure/{region}' .
git push
```
# Step 6: Remove Users
# Step 7: Remove Users

This will remove some of of the users with `u-`, `a-`, and `s-` prefixes (user, admin, and service accounts). These will be primarily
in subdirectories, not directly in `common/`
Expand Down Expand Up @@ -743,7 +746,7 @@ git commit -m'decomission admin-users' -a .
git push
```

# Step 7: Remove common service accounts
# Step 8: Remove common service accounts

```script
tf-init -upgrade
Expand Down Expand Up @@ -852,11 +855,11 @@ git commit -m'decomission service accounts' -a .
git push
```

# Step 8: Other common/ directories
# Step 9: Other common/ directories

Clean up common/apps, common/east/.., common/west/..

# Step 9: Remaining things in common/ which will not be removed
# Step 10: Remaining things in common/ which will not be removed

```console
% tf-state list | grep aws | grep -v data.aws
Expand Down Expand Up @@ -910,7 +913,7 @@ We will need to record that the accounts have been removed.



# Step 10: S3 Buckets
# Step 11: S3 Buckets

Get a list of the S3 buckets in both regions.

Expand Down Expand Up @@ -942,15 +945,15 @@ We will need to stop the services using these and then empty the buckets.

**TBD** What to do with the data in the buckets?

# Step 11: Final checks before requesting removal
# Step 12: Final checks before requesting removal

Look around at resources. There should be nothing which consumes compute or EBS. A handful of S3 buckets may still
exist, for infrastructure things. This is fine.

We do not need to restore the account to a pristine state, as all of the resources will be deleted within 30 days of
the request to remove the account.

# Step 12: Record the accounts as decomissioned
# Step 13: Record the accounts as decomissioned

In the repository `cloud-information` and directory `/aws/info`, update the file `ACCOUNTS.md` and move the account details into the section labeled
`Decommissioned AWS Accounts`. Add the date of the decommission at the end, as shown in this example:
Expand All @@ -977,7 +980,7 @@ that works (because one cannot delete an account without some alternate payer in

This is where we will notify the reseller of the accounts to be removed.

# Step 13: Request Decommission of the reseller
# Step 14: Request Decommission of the reseller

1. change `decommission` to `true` in ew YAML file. This removes the specific account from the map, and will perform the account
deletion. It will put the account into a `PENDING-DELETE` state.
Expand Down Expand Up @@ -1117,3 +1120,6 @@ IEB,SCT/Cloud Infrastructure Cleanup - validate complete

* 1.0.7 -- 2024-12-02
- cleanup step 13, add step numbers to TOC

* 1.0.8 -- 2025-09-11
- add placeholder for remove apptio

0 comments on commit d6bf3e1

Please sign in to comment.