provider/aws: Fix issue deleting users who are attached to a group
If you want to delete an IAM user, that user must not belong to any groups
This commit is contained in:
clint shryock
parent
cf87ede5dd
commit
233aab6e0a
|
|
@ -33,6 +33,14 @@ func TestAccAWSGroupMembership_basic(t *testing.T) {
|
|||
testAccCheckAWSGroupMembershipAttributes(&group, []string{"test-user-two", "test-user-three"}),
|
||||
),
|
||||
},
|
||||
|
||||
resource.TestStep{
|
||||
Config: testAccAWSGroupMemberConfigUpdateDown,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckAWSGroupMembershipExists("aws_iam_group_membership.team", &group),
|
||||
testAccCheckAWSGroupMembershipAttributes(&group, []string{"test-user-three"}),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
|
@ -167,3 +175,23 @@ resource "aws_iam_group_membership" "team" {
|
|||
group = "${aws_iam_group.group.name}"
|
||||
}
|
||||
`
|
||||
|
||||
const testAccAWSGroupMemberConfigUpdateDown = `
|
||||
resource "aws_iam_group" "group" {
|
||||
name = "test-group"
|
||||
path = "/"
|
||||
}
|
||||
|
||||
resource "aws_iam_user" "user_three" {
|
||||
name = "test-user-three"
|
||||
path = "/"
|
||||
}
|
||||
|
||||
resource "aws_iam_group_membership" "team" {
|
||||
name = "tf-testing-group-membership"
|
||||
users = [
|
||||
"${aws_iam_user.user_three.name}",
|
||||
]
|
||||
group = "${aws_iam_group.group.name}"
|
||||
}
|
||||
`
|
||||
|
|
|
|||
|
|
@ -132,6 +132,44 @@ func resourceAwsIamUserUpdate(d *schema.ResourceData, meta interface{}) error {
|
|||
func resourceAwsIamUserDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
iamconn := meta.(*AWSClient).iamconn
|
||||
|
||||
// IAM Users must be removed from all groups before they can be deleted
|
||||
var groups []string
|
||||
var marker *string
|
||||
truncated := aws.Bool(true)
|
||||
|
||||
for *truncated == true {
|
||||
listOpts := iam.ListGroupsForUserInput{
|
||||
UserName: aws.String(d.Id()),
|
||||
}
|
||||
|
||||
if marker != nil {
|
||||
listOpts.Marker = marker
|
||||
}
|
||||
|
||||
r, err := iamconn.ListGroupsForUser(&listOpts)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for _, g := range r.Groups {
|
||||
groups = append(groups, *g.GroupName)
|
||||
}
|
||||
|
||||
// if there's a marker present, we need to save it for pagination
|
||||
if r.Marker != nil {
|
||||
*marker = *r.Marker
|
||||
}
|
||||
*truncated = *r.IsTruncated
|
||||
}
|
||||
|
||||
for _, g := range groups {
|
||||
// use iam group membership func to remove user from all groups
|
||||
log.Printf("[DEBUG] Removing IAM User %s from IAM Group %s", d.Id(), g)
|
||||
if err := removeUsersFromGroup(iamconn, []*string{aws.String(d.Id())}, g); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
request := &iam.DeleteUserInput{
|
||||
UserName: aws.String(d.Id()),
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue