From 233aab6e0a556ac5db9d1b613e228175628abf76 Mon Sep 17 00:00:00 2001
From: clint shryock <clint@ctshryock.com>
Date: Fri, 20 Nov 2015 16:54:26 -0600
Subject: [PATCH] provider/aws: Fix issue deleting users who are attached to a
 group

If you want to delete an IAM user, that user must not belong to any groups
---
 .../resource_aws_iam_group_membership_test.go | 28 ++++++++++++++
 .../providers/aws/resource_aws_iam_user.go    | 38 +++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/builtin/providers/aws/resource_aws_iam_group_membership_test.go b/builtin/providers/aws/resource_aws_iam_group_membership_test.go
index fc868cb7c..26076dd9b 100644
--- a/builtin/providers/aws/resource_aws_iam_group_membership_test.go
+++ b/builtin/providers/aws/resource_aws_iam_group_membership_test.go
@@ -33,6 +33,14 @@ func TestAccAWSGroupMembership_basic(t *testing.T) {
 					testAccCheckAWSGroupMembershipAttributes(&group, []string{"test-user-two", "test-user-three"}),
 				),
 			},
+
+			resource.TestStep{
+				Config: testAccAWSGroupMemberConfigUpdateDown,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSGroupMembershipExists("aws_iam_group_membership.team", &group),
+					testAccCheckAWSGroupMembershipAttributes(&group, []string{"test-user-three"}),
+				),
+			},
 		},
 	})
 }
@@ -167,3 +175,23 @@ resource "aws_iam_group_membership" "team" {
 	group = "${aws_iam_group.group.name}"
 }
 `
+
+const testAccAWSGroupMemberConfigUpdateDown = `
+resource "aws_iam_group" "group" {
+	name = "test-group"
+	path = "/"
+}
+
+resource "aws_iam_user" "user_three" {
+	name = "test-user-three"
+	path = "/"
+}
+
+resource "aws_iam_group_membership" "team" {
+	name = "tf-testing-group-membership"
+	users = [
+		"${aws_iam_user.user_three.name}",
+	]
+	group = "${aws_iam_group.group.name}"
+}
+`
diff --git a/builtin/providers/aws/resource_aws_iam_user.go b/builtin/providers/aws/resource_aws_iam_user.go
index d058047d0..99a12edf9 100644
--- a/builtin/providers/aws/resource_aws_iam_user.go
+++ b/builtin/providers/aws/resource_aws_iam_user.go
@@ -132,6 +132,44 @@ func resourceAwsIamUserUpdate(d *schema.ResourceData, meta interface{}) error {
 func resourceAwsIamUserDelete(d *schema.ResourceData, meta interface{}) error {
 	iamconn := meta.(*AWSClient).iamconn
 
+	// IAM Users must be removed from all groups before they can be deleted
+	var groups []string
+	var marker *string
+	truncated := aws.Bool(true)
+
+	for *truncated == true {
+		listOpts := iam.ListGroupsForUserInput{
+			UserName: aws.String(d.Id()),
+		}
+
+		if marker != nil {
+			listOpts.Marker = marker
+		}
+
+		r, err := iamconn.ListGroupsForUser(&listOpts)
+		if err != nil {
+			return err
+		}
+
+		for _, g := range r.Groups {
+			groups = append(groups, *g.GroupName)
+		}
+
+		// if there's a marker present, we need to save it for pagination
+		if r.Marker != nil {
+			*marker = *r.Marker
+		}
+		*truncated = *r.IsTruncated
+	}
+
+	for _, g := range groups {
+		// use iam group membership func to remove user from all groups
+		log.Printf("[DEBUG] Removing IAM User %s from IAM Group %s", d.Id(), g)
+		if err := removeUsersFromGroup(iamconn, []*string{aws.String(d.Id())}, g); err != nil {
+			return err
+		}
+	}
+
 	request := &iam.DeleteUserInput{
 		UserName: aws.String(d.Id()),
 	}