-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix AWS iam_user remove #59079
Fix AWS iam_user remove #59079
Conversation
@tinproject, just so you are aware we have a dedicated Working Group for aws. |
6c299c3
to
6b58218
Compare
The test
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tested with a user that has keys, console login, and policies, lgtm
Any more requested changes to this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the slow/late niggles.
@tinproject needs a rebase because #23382 finally landed |
108937a
to
b21700e
Compare
- Use guard clause on already absent user - Refactor, use variable instead nested dict - Ensure needed prerequisites for boto3 delete_user successfully - Use AnsibleAWSModule on iam_user. - Fix fail_json_aws calls
b21700e
to
2094e63
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple suggestions to clean up the exception handling, but looks good to me once those are addressed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tinproject it looks like the rebase has dropped the tests you'd put in place to test behaviour when deleting users which still have policies/group membership attached to them.
Please would you add them back.
I made this PR to FIX the I've done this on my free time, and my allotted free time is well pass through. My original intention is to provide a fix to user deletion, nor to update the module to use I believe Red Hat Ansible must rethink it's relationship with the community about what is needed on PR and what are nice to haves. More than three months to add a fix, it have no sense. @tremble Feel free to recover the tests. I'm moving my IAM user process to use Terraform/Cloudformation. |
@tinproject I understand your frustration. There is only one Red Hatter working (mostly) full time on AWS pull requests and it's really a community-driven process. Most of the active community is in the IRC channel #ansible-aws on irc.freenode.net. It's a good place to ping people if you feel a pull request is stuck or feel that unreasonable demands have been made or just need some help implementing changes. Updating the module to use AnsibleAWSModule was not required, but it did simplify the exception handling code. Integration tests are required for new modules and features, but depending on the urgency of the bugfix may also be excluded. Generally tests are requested for bugs and are considered more important than just a "nice to have" because they prevent the use case being broken in the future. As most of these modules are community maintained and often have new contributors, breakage happens easily without tests. You can see from the history of https://github.com/ansible/community/blob/master/group-aws/integration.md that we are progressing, though it's slow work. It's often difficult to get the balance right between getting a PR in as-is, and forcing contributors to spend a lot of time improving it, refactoring other bits of code, and adding tests, we may have failed you in this occurrence, and for that we apologize. Given the reviews so far, and the detailed manual testing you provided I think we are good to merge your PR as is. |
Thanks! |
SUMMARY
Fixes #59078
As Boto3 documentation tells (https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.delete_user) before delete an user it is needed to delete some user's associated resources, like login profile(console password), access keys, etc..
The current implementation of
iam_user
don't take most of this into account so user's removal fails.This PR removes all the user's associated resources before deletes the user.
Rationale of PR:
ISSUE TYPE
COMPONENT NAME
iam_user
ADDITIONAL INFORMATION
To test this I've created manually the following IAM users and remove them with the
iam_user
module of this PR: