2015-02-06 16:34:24 +01:00
|
|
|
package aws
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2015-11-10 23:19:15 +01:00
|
|
|
"log"
|
2016-10-25 14:18:41 +02:00
|
|
|
"regexp"
|
2015-02-06 16:34:24 +01:00
|
|
|
|
2015-06-03 20:36:57 +02:00
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
2015-02-06 16:34:24 +01:00
|
|
|
|
|
|
|
"github.com/hashicorp/terraform/helper/schema"
|
|
|
|
)
|
|
|
|
|
|
|
|
func resourceAwsIamUser() *schema.Resource {
|
|
|
|
return &schema.Resource{
|
|
|
|
Create: resourceAwsIamUserCreate,
|
|
|
|
Read: resourceAwsIamUserRead,
|
2015-09-13 09:27:07 +02:00
|
|
|
Update: resourceAwsIamUserUpdate,
|
2015-02-06 16:34:24 +01:00
|
|
|
Delete: resourceAwsIamUserDelete,
|
2016-06-23 03:56:59 +02:00
|
|
|
Importer: &schema.ResourceImporter{
|
|
|
|
State: schema.ImportStatePassthrough,
|
|
|
|
},
|
2015-02-06 16:34:24 +01:00
|
|
|
|
|
|
|
Schema: map[string]*schema.Schema{
|
|
|
|
"arn": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Computed: true,
|
|
|
|
},
|
|
|
|
/*
|
|
|
|
The UniqueID could be used as the Id(), but none of the API
|
|
|
|
calls allow specifying a user by the UniqueID: they require the
|
|
|
|
name. The only way to locate a user by UniqueID is to list them
|
2016-09-12 08:14:24 +02:00
|
|
|
all and that would make this provider unnecessarily complex
|
2015-02-06 16:34:24 +01:00
|
|
|
and inefficient. Still, there are other reasons one might want
|
2015-09-11 20:56:20 +02:00
|
|
|
the UniqueID, so we can make it available.
|
2015-02-06 16:34:24 +01:00
|
|
|
*/
|
|
|
|
"unique_id": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Computed: true,
|
|
|
|
},
|
|
|
|
"name": &schema.Schema{
|
2016-10-25 14:18:41 +02:00
|
|
|
Type: schema.TypeString,
|
|
|
|
Required: true,
|
|
|
|
ValidateFunc: validateAwsIamUserName,
|
2015-02-06 16:34:24 +01:00
|
|
|
},
|
|
|
|
"path": &schema.Schema{
|
|
|
|
Type: schema.TypeString,
|
|
|
|
Optional: true,
|
|
|
|
Default: "/",
|
|
|
|
ForceNew: true,
|
|
|
|
},
|
2016-07-25 09:15:03 +02:00
|
|
|
"force_destroy": &schema.Schema{
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
Optional: true,
|
|
|
|
Default: false,
|
|
|
|
Description: "Delete user even if it has non-Terraform-managed IAM access keys",
|
|
|
|
},
|
2015-02-06 16:34:24 +01:00
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func resourceAwsIamUserCreate(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
|
|
|
name := d.Get("name").(string)
|
2015-09-13 09:27:07 +02:00
|
|
|
path := d.Get("path").(string)
|
2015-02-06 16:34:24 +01:00
|
|
|
|
|
|
|
request := &iam.CreateUserInput{
|
2015-09-13 09:27:07 +02:00
|
|
|
Path: aws.String(path),
|
2015-02-06 16:34:24 +01:00
|
|
|
UserName: aws.String(name),
|
|
|
|
}
|
|
|
|
|
2015-11-10 23:19:15 +01:00
|
|
|
log.Println("[DEBUG] Create IAM User request:", request)
|
2015-02-06 16:34:24 +01:00
|
|
|
createResp, err := iamconn.CreateUser(request)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error creating IAM User %s: %s", name, err)
|
|
|
|
}
|
2016-06-23 03:56:59 +02:00
|
|
|
d.SetId(*createResp.User.UserName)
|
2015-02-06 16:34:24 +01:00
|
|
|
return resourceAwsIamUserReadResult(d, createResp.User)
|
|
|
|
}
|
|
|
|
|
|
|
|
func resourceAwsIamUserRead(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
2016-06-23 03:56:59 +02:00
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
request := &iam.GetUserInput{
|
2016-06-23 03:56:59 +02:00
|
|
|
UserName: aws.String(d.Id()),
|
2015-02-06 16:34:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
getResp, err := iamconn.GetUser(request)
|
|
|
|
if err != nil {
|
2015-05-20 13:21:23 +02:00
|
|
|
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { // XXX test me
|
2015-11-10 23:19:15 +01:00
|
|
|
log.Printf("[WARN] No IAM user by name (%s) found", d.Id())
|
2015-02-06 16:34:24 +01:00
|
|
|
d.SetId("")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Error reading IAM User %s: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
return resourceAwsIamUserReadResult(d, getResp.User)
|
|
|
|
}
|
|
|
|
|
|
|
|
func resourceAwsIamUserReadResult(d *schema.ResourceData, user *iam.User) error {
|
|
|
|
if err := d.Set("name", user.UserName); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-08-17 20:27:16 +02:00
|
|
|
if err := d.Set("arn", user.Arn); err != nil {
|
2015-02-06 16:34:24 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := d.Set("path", user.Path); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-08-17 20:27:16 +02:00
|
|
|
if err := d.Set("unique_id", user.UserId); err != nil {
|
2015-02-06 16:34:24 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-09-13 09:27:07 +02:00
|
|
|
func resourceAwsIamUserUpdate(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
if d.HasChange("name") || d.HasChange("path") {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
|
|
|
on, nn := d.GetChange("name")
|
2015-11-10 23:19:15 +01:00
|
|
|
_, np := d.GetChange("path")
|
|
|
|
|
2015-09-13 09:27:07 +02:00
|
|
|
request := &iam.UpdateUserInput{
|
|
|
|
UserName: aws.String(on.(string)),
|
|
|
|
NewUserName: aws.String(nn.(string)),
|
|
|
|
NewPath: aws.String(np.(string)),
|
|
|
|
}
|
2015-11-10 23:19:15 +01:00
|
|
|
|
|
|
|
log.Println("[DEBUG] Update IAM User request:", request)
|
2015-09-13 09:27:07 +02:00
|
|
|
_, err := iamconn.UpdateUser(request)
|
|
|
|
if err != nil {
|
|
|
|
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
|
2015-11-10 23:19:15 +01:00
|
|
|
log.Printf("[WARN] No IAM user by name (%s) found", d.Id())
|
2015-09-13 09:27:07 +02:00
|
|
|
d.SetId("")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Error updating IAM User %s: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
return resourceAwsIamUserRead(d, meta)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2016-07-25 09:15:03 +02:00
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
func resourceAwsIamUserDelete(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
iamconn := meta.(*AWSClient).iamconn
|
|
|
|
|
2015-11-20 23:54:26 +01:00
|
|
|
// IAM Users must be removed from all groups before they can be deleted
|
|
|
|
var groups []string
|
2016-07-25 09:15:03 +02:00
|
|
|
listGroups := &iam.ListGroupsForUserInput{
|
|
|
|
UserName: aws.String(d.Id()),
|
|
|
|
}
|
|
|
|
pageOfGroups := func(page *iam.ListGroupsForUserOutput, lastPage bool) (shouldContinue bool) {
|
|
|
|
for _, g := range page.Groups {
|
2015-11-20 23:54:26 +01:00
|
|
|
groups = append(groups, *g.GroupName)
|
|
|
|
}
|
2016-07-25 09:15:03 +02:00
|
|
|
return !lastPage
|
|
|
|
}
|
|
|
|
err := iamconn.ListGroupsForUserPages(listGroups, pageOfGroups)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error removing user %q from all groups: %s", d.Id(), err)
|
2015-11-20 23:54:26 +01:00
|
|
|
}
|
|
|
|
for _, g := range groups {
|
|
|
|
// use iam group membership func to remove user from all groups
|
|
|
|
log.Printf("[DEBUG] Removing IAM User %s from IAM Group %s", d.Id(), g)
|
|
|
|
if err := removeUsersFromGroup(iamconn, []*string{aws.String(d.Id())}, g); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-07-25 09:15:03 +02:00
|
|
|
// All access keys for the user must be removed
|
|
|
|
if d.Get("force_destroy").(bool) {
|
|
|
|
var accessKeys []string
|
|
|
|
listAccessKeys := &iam.ListAccessKeysInput{
|
|
|
|
UserName: aws.String(d.Id()),
|
|
|
|
}
|
|
|
|
pageOfAccessKeys := func(page *iam.ListAccessKeysOutput, lastPage bool) (shouldContinue bool) {
|
|
|
|
for _, k := range page.AccessKeyMetadata {
|
|
|
|
accessKeys = append(accessKeys, *k.AccessKeyId)
|
|
|
|
}
|
|
|
|
return !lastPage
|
|
|
|
}
|
|
|
|
err = iamconn.ListAccessKeysPages(listAccessKeys, pageOfAccessKeys)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error removing access keys of user %s: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
for _, k := range accessKeys {
|
|
|
|
_, err := iamconn.DeleteAccessKey(&iam.DeleteAccessKeyInput{
|
|
|
|
UserName: aws.String(d.Id()),
|
|
|
|
AccessKeyId: aws.String(k),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Error deleting access key %s: %s", k, err)
|
|
|
|
}
|
|
|
|
}
|
2016-10-25 13:53:22 +02:00
|
|
|
|
|
|
|
_, err = iamconn.DeleteLoginProfile(&iam.DeleteLoginProfileInput{
|
|
|
|
UserName: aws.String(d.Id()),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Error deleting Account Login Profile: %s", err)
|
|
|
|
}
|
2016-07-25 09:15:03 +02:00
|
|
|
}
|
|
|
|
|
2015-02-06 16:34:24 +01:00
|
|
|
request := &iam.DeleteUserInput{
|
|
|
|
UserName: aws.String(d.Id()),
|
|
|
|
}
|
|
|
|
|
2015-11-10 23:19:15 +01:00
|
|
|
log.Println("[DEBUG] Delete IAM User request:", request)
|
2015-02-06 16:34:24 +01:00
|
|
|
if _, err := iamconn.DeleteUser(request); err != nil {
|
|
|
|
return fmt.Errorf("Error deleting IAM User %s: %s", d.Id(), err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2016-10-25 14:18:41 +02:00
|
|
|
|
|
|
|
func validateAwsIamUserName(v interface{}, k string) (ws []string, errors []error) {
|
|
|
|
value := v.(string)
|
2016-10-28 14:40:04 +02:00
|
|
|
if !regexp.MustCompile(`^[0-9A-Za-z=,.@\-_]+$`).MatchString(value) {
|
2016-10-25 14:18:41 +02:00
|
|
|
errors = append(errors, fmt.Errorf(
|
2016-10-28 14:40:04 +02:00
|
|
|
"only alphanumeric characters, hyphens, underscores, commas, periods, @ symbols and equals signs allowed in %q: %q",
|
2016-10-25 14:18:41 +02:00
|
|
|
k, value))
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|