Undeploy accounts

Remove infrastructure configured with config sets to the specified organizational units and accounts.


tkm org accounts undeploy [ou-path...] \
  [--account <account_id>]... \
  [--concurrent-accounts <number>] \
  [--config-set <config-set>] \
  [--command-path <command-path>]

Positional arguments

  • ou-path...

    • You can pass one or more organizational unit paths to undeploy only the accounts that belong to organizational units located under the given paths in the organization hierarchy.


In addition to the common options, this command has the following options.

  • --account <account id>

    • Choose accounts to undeploy. You can use this option multiple times to specify more accounts.

  • --concurrent-accounts <number>

    • Number of accounts to undeploy concurrently.

  • --config-set <config-set>

    • Undeploy only this config set.

    • Optional.

  • --command-path <command-path>

    • Undeploy only stacks under this command path.

    • Optional.

    • To use this option, also the --config-set option must be given.

IAM permissions

These are the minimum IAM permissions required to run this command.

  - Effect: Allow
      - organizations:ListRoots
      - organizations:ListTargetsForPolicy
      - organizations:ListAWSServiceAccessForOrganization
      - organizations:DescribePolicy
      - organizations:ListPolicies
      - organizations:ListAccountsForParent
      - organizations:ListAccounts
      - organizations:DescribeOrganization
      - organizations:ListOrganizationalUnitsForParent
    Resource: "*"

  # IAM permissions needed to assume role from the target accounts.
  # Specify resource to restrict access to specific roles.  
  - Sid: IAM
    Effect: Allow
      - sts:AssumeRole
    Resource: "*"


Undeploy all accounts in the organization.

tkm org accounts undeploy

Undeploy only accounts that belong to the organizational unit Root/Sandbox or to any organizational units under it.

tkm org accounts undeploy Root/Sandbox

Undeploy only accounts that belong to the organizational unit Root/Apps/Dev or Root/Apps/Test, or to any organizational units under them.

tkm org accounts undeploy Root/Apps/Dev Root/Apps/Test

Undeploy only account 123456789012.

tkm org accounts undeploy --account 123456789012

Undeploy only account 123456789012 and 777777777777.

tkm org accounts undeploy \
  --account 123456789012 \
  --account 777777777777

Last updated