CLDSRV-915: Fix service user provisioning broken by AWS SDK v3 migration

[tcarmet]

The AWS SDK v3 migration changed how IAM "entity not found" errors surface, and the service user provisioning script relied on the old shape. Since then a fresh environment can never create its service user: the lookup error is treated as fatal instead of triggering creation, and installs that provision one fail.

The script had no test coverage, which is how this slipped through. This PR also adds a functional test suite that exercises it end to end against a real IAM backend in CI, to catch mistakes in the script sooner.

[bert-e]

Hello tcarmet,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-915 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.3.9

• 9.4.0

Please check the Fix Version/s of CLDSRV-915, or the target
branch of this pull request.

[claude]

LGTM

The fix correctly handles the SDK v3 error shape change (err.Error.Code instead of err.name), and the new functional tests provide solid end-to-end coverage of the script against a real IAM backend.

Review by Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.53%. Comparing base (ceec022) to head (38e38d4).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@               Coverage Diff                @@
##           development/9.3    #6185   +/-   ##
================================================
  Coverage            84.53%   84.53%           
================================================
  Files                  206      206           
  Lines                13360    13360           
================================================
  Hits                 11294    11294           
  Misses                2066     2066           

Flag	Coverage Δ
file-ft-tests	68.34% <ø> (ø)
kmip-ft-tests	28.30% <ø> (ø)
mongo-v0-ft-tests	69.52% <ø> (-0.03%)	⬇️
mongo-v1-ft-tests	69.54% <ø> (ø)
multiple-backend	36.80% <ø> (ø)
sur-tests	35.84% <ø> (ø)
sur-tests-inflights	37.69% <ø> (-0.03%)	⬇️
unit	70.50% <ø> (ø)
utapi-v2-tests	34.57% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

• Test cleanup's ignoreNoSuchEntity (line 55) uses err.Error.Code === 'NoSuchEntity' — a different error detection pattern than the script fix itself (err instanceof NoSuchEntityException). Should use instanceof to stay consistent and avoid a potential cleanup failure in the third test case.
  • Import NoSuchEntityException from @aws-sdk/client-iam and use err instanceof NoSuchEntityException in the test helper.

Review by Claude Code

[claude]

LGTM

Review by Claude Code

[bert-e]

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

[claude]

This downgrades the package version from 9.3.8 to 9.3.7. The base branch development/9.3 is currently at 9.3.8, so this is a regression — likely from a stale branch that was not rebased before the PR was opened.

— Claude Code

[claude]

This downgrades arsenal from 8.4.4 to 8.4.1. The base branch development/9.3 is at 8.4.4, so this reverts three patch releases — likely from the same stale-branch issue as the version field. Rebase to pick up the current pin.

— Claude Code

[claude]

• package.json downgrades version from 9.3.8 to 9.3.7 and arsenal from 8.4.4 to 8.4.1 — both unrelated to the fix and likely from a stale branch. Rebase onto development/9.3 to resolve.
  - Rebase the branch onto the current development/9.3 head
  
  The core fix (err instanceof NoSuchEntityException instead of err.name === 'NoSuchEntity') is correct for AWS SDK v3, and the new test suite is well-structured.
  
  Review by Claude Code

[claude]

LGTM

Review by Claude Code

[claude]

• ft_scripts not added to ft_test aggregator — yarn ft_test won't run these tests locally
  • Add ft_scripts to the ft_test npm-run-all chain

Otherwise LGTM — the instanceof NoSuchEntityException fix is correct for SDK v3, and the new test suite covers creation, idempotent re-run, and conflict detection with proper cleanup.

Review by Claude Code

[claude]

LGTM

Review by Claude Code

[tcarmet]

/create_integration_branches

[bert-e]

Conflict

A conflict has been raised during the creation of
integration branch w/9.4/bugfix/CLDSRV-915-fix-ensure-service-user-not-found-check with contents from bugfix/CLDSRV-915-fix-ensure-service-user-not-found-check
and development/9.4.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 git fetch
 git checkout -B w/9.4/bugfix/CLDSRV-915-fix-ensure-service-user-not-found-check origin/development/9.4
 git merge origin/bugfix/CLDSRV-915-fix-ensure-service-user-not-found-check
 # <intense conflict resolution>
 git commit
 git push -u origin w/9.4/bugfix/CLDSRV-915-fix-ensure-service-user-not-found-check

The following options are set: create_integration_branches

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following options are set: create_integration_branches

[tcarmet]

/approve

[bert-e]

Build failed

The build for commit did not succeed in branch w/9.4/bugfix/CLDSRV-915-fix-ensure-service-user-not-found-check

The following options are set: approve, create_integration_branches

[bert-e]

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

• ✔️ development/9.3

• ✔️ development/9.4

The following branches will NOT be impacted:

• development/7.10
• development/7.4
• development/7.70
• development/8.8
• development/9.0
• development/9.1
• development/9.2

This pull request does not target the following hotfix branch(es) so they
will be left untouched:

• hotfix/6.4.7
• hotfix/7.10.49
• hotfix/7.10.8
• hotfix/7.70.11
• hotfix/7.8.0
• hotfix/7.4.8
• hotfix/9.0.32
• hotfix/7.10.27
• hotfix/7.10.0
• hotfix/7.10.15
• hotfix/7.4.6
• hotfix/7.4.5
• hotfix/7.70.51
• hotfix/9.0.7
• hotfix/7.4.0
• hotfix/9.2.24
• hotfix/7.4.1
• hotfix/7.70.73
• hotfix/7.4.10
• hotfix/7.2.0
• hotfix/7.6.0
• hotfix/7.4.4
• hotfix/7.10.2
• hotfix/7.4.2
• hotfix/7.70.45
• hotfix/8.8.45
• hotfix/7.4.7
• hotfix/7.10.1
• hotfix/7.70.21
• hotfix/7.4.9
• hotfix/7.4.3
• hotfix/7.7.0
• hotfix/7.10.28
• hotfix/7.10.3
• hotfix/7.10.4
• hotfix/7.9.0
• hotfix/7.10.30

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

• Any commit you add on the source branch will trigger a new cycle after the
  current queue is merged.
• Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve, create_integration_branches

[bert-e]

Queue build failed

The corresponding build for the queue failed:

• Checkout the status page.
• Identify the failing build and review the logs.
• If no issue is found, re-run the build.
• If an issue is identified, checkout the steps below to remove
  the pull request from the queue for further analysis and maybe rebase/merge.

Remove the pull request from the queue

• Add a /wait comment on this pull request.
• Click on login on the status page.
• Go into the manage page.
• Find the option called Rebuild the queue and click on it.
  Bert-E will loop again on all pull requests to put the valid ones
  in the queue again, while skipping the one with the /wait comment.
• Wait for the new queue to merge, then merge/rebase your pull request
  with the latest changes to then work on a proper fix.
• Once the issue is fixed, delete the /wait comment and
  follow the usual process to merge the pull request.

[bert-e]

I have successfully merged the changeset of this pull request
into targetted development branches:

• ✔️ development/9.3

• ✔️ development/9.4

The following branches have NOT changed:

• development/7.10
• development/7.4
• development/7.70
• development/8.8
• development/9.0
• development/9.1
• development/9.2

Please check the status of the associated issue CLDSRV-915.

Goodbye tcarmet.