scyph.us (sī′fəs)

Problem When updating AWS Control Tower accounts after a landing zone upgrade, you may find that some dev has messed up the Control Tower resources or attempted to remove a Stack when they shouldn't. This can lead to the account updates failing for various reasons. You may see something like... AWS Control Tower failed to deploy one or more stack set instances: StackSet Id: AWSControlTowerBP-BASELINE-CONFIG:4ef4fefe-1234-4659-938c-fd6da95c0e76, Stack instance Id: arn:aws:cloudformation:us-east-1:406111111874:stack/StackSet-AWSControlTowerBP-BASELINE-CONFIG-c46feddd-1234-459c-aa45-132e23e4d36c/43406ac0-928a-11ec-9017-0eb6c2b8c189, Status: OUTDATED, Status Reason: Stack:arn:aws:cloudformation:us-east-1: 406111111874:stack/StackSet-AWSControlTowerBP-BASELINE-CONFIG-c46feddd-1234-459c-aa45-132e23e4d36c/43406ac0-928a-11ec-9017-0eb6c2b8c189 is in DELETE_FAILED state and can not be updated. Or maybe you hit something like... AWS Control Tower cannot create the Config deliverychannel aws-c

Sometimes you mess up and forget to have EC2 instances delete their volumes on termination. When this happens you may need to clean them up.  If you have a list of the AMI IDs that were used in each region, here is a script that lets you find volumes using the AMI snapshot ids that are no longer mounted and need to be cleaned up. ebs_cleanup.py import boto3 import botocore.exceptions as boto_exc AMI_MAP = { "us-east-1":"ami-0123456789abcef12", "us-east-2":"ami-0123456789abcef13", "us-west-1":"ami-0123456789abcef14", "us-west-2":"ami-0123456789abcef15", } def get_snapshot_from_id(client, ami_id): resp = client.describe_images( ImageIds=[ami_id] ) return resp["Images"][0]["BlockDeviceMappings"][0]["Ebs"]["SnapshotId"] session = boto3.Session() ec2 = session.client("ec2") count = 0 for region in ec2.describe_regions()