aws_iam_user with force_destroy should also get rid of SSH keys

[lvh]

Terraform Version

Terraform v0.11.7

Affected Resource(s)

• aws_iam_user

Terraform Configuration Files

resource "aws_iam_user" "u" {
  name = "u"
  force_destroy = true
}

Output

Output of terraform destroy:

aws_iam_user.u: Refreshing state... (ID: auditor)
data.aws_caller_identity.current: Refreshing state...
data.aws_ami.stable_coreos: Refreshing state...
data.aws_availability_zones.available: Refreshing state...
data.template_file.cloud_config: Refreshing state...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  - aws_iam_user.u


Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

aws_iam_user.u: Destroying... (ID: u)

Error: Error applying plan:

1 error(s) occurred:

* aws_iam_user.u (destroy): 1 error(s) occurred:

* aws_iam_user.auditor: Error deleting IAM User u: DeleteConflict: Cannot delete entity, must remove referenced objects first.
	status code: 409, request id: REDACTED

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Expected Behavior

The user should have been destroyed

Actual Behavior

The user was not destroyed

Steps to Reproduce

1. terraform init
2. terraform apply
3. Add SSH pubkey out of band, e.g. aws upload-ssh-public-key --user-name u --ssh-public-key-body $(cat ~/.ssh/id_rsa.pub)
4. terraform destroy

Additional Context

Unfortunately, while the DeleteUser IAM command claims to produce useful info about the conflicting resources when a delete fails. I have not found this to be true, making this bug all the more frustrating.

References

None that I know of.

[lvh]

FWIW there's at least one other case that I can't file a bug for yet because I haven't figured it out:

$ aws iam list-groups-for-user --user-name auditor; aws iam list-signing-certificates --user-name auditor; aws iam list-user-policies --user-name auditor; aws iam list-attached-user-policies --user-name auditor; aws iam list-access-keys --user-name auditor; aws iam list-ssh-public-keys --user-name auditor; aws iam get-login-profile --user-name auditor
{
    "Groups": []
}
{
    "Certificates": []
}
{
    "PolicyNames": []
}
{
    "AttachedPolicies": []
}
{
    "AccessKeyMetadata": []
}
{
    "SSHPublicKeys": []
}

An error occurred (NoSuchEntity) when calling the GetLoginProfile operation: Cannot find Login Profile for User auditor
$ aws iam delete-user --user-name auditor

An error occurred (DeleteConflict) when calling the DeleteUser operation: Cannot delete entity, must remove referenced objects first.

As you can tell this user doesn't even have an SSH key and still can't be deleted. No idea why.

[lvh]

Despite forgetting it in that paste: it's also not an attached MFA device.

[bflad]

The fix for deleting SSH keys with force_destroy has been merged and will release with version 1.43.0 of the AWS provider, likely middle of this week. 👍

[bflad]

This has been released in version 1.43.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!