Right now this is what we look like
Ye its just a little frustating as ive spent the last 1 or 2 weeks setting up identity centre 
But yeah I think exporting your current identity center configurations (users, groups, permission sets, etc) and then setting them up in the new management account before you invite the prod into the managed org, you should be relatively ok
Are you using IaC for your IdentityCenter?
All the config is in in terrafom
Oh ok - so then replicating in the new management account should be pretty easy
Problem is identity centre is what powers our vpn and that config will have to be recreated.
probably better we do this sooner whilst we dont have too much coupled with our current identity centre
You mean, for access to the VPN?
Ye sorry, right for access to the Client VPN
Ah yeah you definitely want to give a heads up to any prod users that there may be a little downtime and there will be a new sso url, but if you have everything configured with IaC then you can stand up and test those in a dev env under the new management account before you cut over
you could even set up a temp test account that works similar to your prod, and test bringing that in, then clear out your resources and keep that as your dev
ye thanks i see a path forward, just need to plan everything to prevent disruption!
You got this! 
appreciate your help!
- thought this might be useful for you https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html
You mean general read or is there something specific here?
I would say in general it might be a good reference. You had asked about if there was a list of services to set up in the management account, and I think that might be in here or at least insight into recommendations for like logging and security accounts and what they probably should include.
ye i guess i meant services that ought to be created on the management account, e.g identity center.
thanks will take a look
