Tear down accounts

Tear down infrastructure configured with config sets to the specified organizational units and accounts.

Usage

tkm org accounts tear-down [ou-path...] \
  [--account <account_id>]... \
  [--concurrent-accounts <number>] \
  [--config-set <config-set>] \
  [--command-path <command-path>]

Positional arguments

ou-path...
- You can pass one or more organizational unit paths to tear down only the accounts that belong to organizational units located under the given paths in the organization hierarchy.

Options

In addition to the common options, this command has the following options.

--account <account id>
- Choose accounts to tear down. You can use this option multiple times to specify more accounts.
--concurrent-accounts <number>
- Number of accounts to tear down concurrently.
--config-set <config-set>
- Teardown only this config set.
- Optional.
--command-path <command-path>
- Teardown only stacks under this command path.
- Optional.
- To use this option, also the --config-set option must be given.

IAM permissions

These are the minimum IAM permissions required to run this command.

Statement:
  - Effect: Allow
    Action:
      - organizations:ListRoots
      - organizations:ListTargetsForPolicy
      - organizations:ListAWSServiceAccessForOrganization
      - organizations:DescribePolicy
      - organizations:ListPolicies
      - organizations:ListAccountsForParent
      - organizations:ListAccounts
      - organizations:DescribeOrganization
      - organizations:ListOrganizationalUnitsForParent
    Resource: "*"

  # IAM permissions needed to assume role from the target accounts.
  # Specify resource to restrict access to specific roles.  
  - Sid: IAM
    Effect: Allow
    Action:
      - sts:AssumeRole
    Resource: "*"

Examples

Tear down all accounts in the organization.

tkm org accounts tear-down

Tear down only accounts that belong to the organizational unit Root/Sandbox or to any organizational units under it.

tkm org accounts tear-down Root/Sandbox

PreviousBootstrap accounts

Last updated 3 years ago

Was this helpful?

Options

In addition to the common options, this command has the following options.

--account <account id>

Choose accounts to tear down. You can use this option multiple times to specify more accounts.

--concurrent-accounts <number>

Number of accounts to tear down concurrently.

--config-set <config-set>

Teardown only this config set.
Optional.

--command-path <command-path>

Teardown only stacks under this command path.
Optional.
To use this option, also the --config-set option must be given.

IAM permissions

These are the minimum IAM permissions required to run this command.

Statement:
  - Effect: Allow
    Action:
      - organizations:ListRoots
      - organizations:ListTargetsForPolicy
      - organizations:ListAWSServiceAccessForOrganization
      - organizations:DescribePolicy
      - organizations:ListPolicies
      - organizations:ListAccountsForParent
      - organizations:ListAccounts
      - organizations:DescribeOrganization
      - organizations:ListOrganizationalUnitsForParent
    Resource: "*"

  # IAM permissions needed to assume role from the target accounts.
  # Specify resource to restrict access to specific roles.  
  - Sid: IAM
    Effect: Allow
    Action:
      - sts:AssumeRole
    Resource: "*"