Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated iam_user force delete to include public ssh keys. fixes #4176 #6337

Conversation

nodefortytwo
Copy link
Contributor

@nodefortytwo nodefortytwo commented Nov 2, 2018

Fixes #4176

Changes proposed in this pull request:

  • when force delete is specified delete any public ssh keys attached to user

Output from acceptance testing:
BEFORE change was applied:

-> dazn aws exec -p dazn-demo-one -- make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSUser_ForceDestroy_SSHKey'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSUser_ForceDestroy_SSHKey -timeout 120m
=== RUN   TestAccAWSUser_ForceDestroy_SSHKey
=== PAUSE TestAccAWSUser_ForceDestroy_SSHKey
=== CONT  TestAccAWSUser_ForceDestroy_SSHKey
--- FAIL: TestAccAWSUser_ForceDestroy_SSHKey (17.93s)
    testing.go:599: Error destroying resource! WARNING: Dangling resources
        may exist. The full state and error is shown below.

        Error: Error applying: 1 error occurred:
                * aws_iam_user.test (destroy): 1 error occurred:
                * aws_iam_user.test: Error deleting IAM User tf-acc-test-1916028493612556295: DeleteConflict: Cannot delete entity, must remove referenced objectsfirst.
                status code: 409, request id: c393d746-e00e-11e8-9c3c-8dbf40989de3





        State: aws_iam_user.test:
          ID = tf-acc-test-1916028493612556295
          provider = provider.aws
          arn = arn:aws:iam::621041455573:user/tf-acc-test-1916028493612556295
          force_destroy = true
          name = tf-acc-test-1916028493612556295
          path = /
          unique_id = AIDAJHVSXXJ7EDMBLQLN6
FAIL
FAIL    github.com/nodefortytwo/terraform-provider-aws/aws      17.979s

AFTER changes

-> dazn aws exec -p dazn-demo-one -- make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSUser_ForceDestroy_SSHKey'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -parallel 20 -run=TestAccAWSUser_ForceDestroy_SSHKey -timeout 120m
=== RUN   TestAccAWSUser_ForceDestroy_SSHKey
=== PAUSE TestAccAWSUser_ForceDestroy_SSHKey
=== CONT  TestAccAWSUser_ForceDestroy_SSHKey
--- PASS: TestAccAWSUser_ForceDestroy_SSHKey (19.99s)
PASS
ok      github.com/nodefortytwo/terraform-provider-aws/aws      20.032s

ignore the dazn bit, just generates temporary credentials to one of our ephemeral accounts

@ghost ghost added size/XS Managed by automation to categorize the size of a PR. service/iam Issues and PRs that pertain to the iam service. labels Nov 2, 2018
@tapatoo
Copy link

tapatoo commented Nov 2, 2018

👍

1 similar comment
@robertstettner
Copy link
Contributor

👍

@bflad
Copy link
Contributor

bflad commented Nov 2, 2018

Output from acceptance testing: I cannot run without applying gofmt to loads of unchanged files?

Upgrading to Go 1.11 should make those disappear. 👍

@bflad
Copy link
Contributor

bflad commented Nov 2, 2018

It would be really nice to write up an acceptance test that actually covers this code path. We can set this up similar to how _disappears acceptance tests are written. e.g.

func TestAccAWSUser_ForceDestroy_SSHKey(t *testing.T) {
	var user iam.GetUserOutput

	rName := acctest.RandomWithPrefix("tf-acc-test")
	resourceName := "aws_iam_user.test"

	resource.ParallelTest(t, resource.TestCase{
		PreCheck:     func() { testAccPreCheck(t) },
		Providers:    testAccProviders,
		CheckDestroy: testAccCheckAWSUserDestroy,
		Steps: []resource.TestStep{
			{
				Config: testAccAWSUserConfigForceDestory(rName),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckAWSUserExists(resourceName, &user),
					testAccCheckAWSUserUploadsSSHKey(&user),
				),
			},
		},
	})
}

func testAccCheckAWSUserUploadsSSHKey(getUserOutput *iam.GetUserOutput) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		iamconn := testAccProvider.Meta().(*AWSClient).iamconn

		input := &iam.UploadSSHPublicKeyInput{
			UserName:         getUserOutput.User.UserName,
			SSHPublicKeyBody: aws.String(/* can be hardcoded or preferably read from a file in aws/test-fixtures */),
		}

		_, err := iamconn.UploadSSHPublicKey(request)
		if err != nil {
			return fmt.Errorf("error uploading IAM User (%s) SSH key: %s", userName, err)
		}

		return nil
	}
}

func testAccAWSUserConfigForceDestroy(rName string) string {
	return fmt.Sprintf(`
resource "aws_iam_user" "test" {
  force_destroy = true
  name = %q
}
`, rName)
}

@bflad bflad added bug Addresses a defect in current functionality. waiting-response Maintainers are waiting on response from community or contributor. labels Nov 2, 2018
@nodefortytwo
Copy link
Contributor Author

I'll address this over the weekend, thanks for the feedback

@ghost ghost added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/M Managed by automation to categorize the size of a PR. and removed size/XS Managed by automation to categorize the size of a PR. labels Nov 3, 2018
@nodefortytwo
Copy link
Contributor Author

Tests added and results added to PR

This makes the force delete flow more obvious and allows for easier reordering or parallelisation of delete behaviours
@ghost ghost added size/L Managed by automation to categorize the size of a PR. and removed size/M Managed by automation to categorize the size of a PR. labels Nov 4, 2018
@bflad bflad removed the waiting-response Maintainers are waiting on response from community or contributor. label Nov 5, 2018
@bflad bflad added this to the v1.43.0 milestone Nov 5, 2018
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates, @nodefortytwo! Since the code surrounding the other force destroy options was also updated, I added acceptance testing coverage where I could as well in the followup commit (49bc1a740630b0b2aafbd67fc5f452f0ca457020).

🚀

--- PASS: TestAccAWSUser_disappears (7.15s)
--- PASS: TestAccAWSUser_ForceDestroy_SSHKey (9.38s)
--- PASS: TestAccAWSUser_importBasic (9.49s)
--- PASS: TestAccAWSUser_ForceDestroy_AccessKey (9.55s)
--- PASS: TestAccAWSUser_ForceDestroy_LoginProfile (9.78s)
--- PASS: TestAccAWSUser_pathChange (13.74s)
--- PASS: TestAccAWSUser_nameChange (13.80s)
--- PASS: TestAccAWSUser_basic (13.94s)
--- PASS: TestAccAWSUser_permissionsBoundary (31.21s)
--- SKIP: TestAccAWSUser_ForceDestroy_MFADevice (0.00s)
    resource_aws_iam_user_test.go:177: Virtual MFA device creation is not currently implemented

@bflad bflad merged commit e4631a3 into hashicorp:master Nov 5, 2018
bflad added a commit that referenced this pull request Nov 5, 2018
@bflad
Copy link
Contributor

bflad commented Nov 7, 2018

This has been released in version 1.43.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Apr 2, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws_iam_user with force_destroy should also get rid of SSH keys
4 participants