mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Enable deleting IAM users with associated MFA devices. (#27288)
Refactore delete_user() since most of the heavy lifting was being done in the exception handling, which is not at all necessary and resulted in changed=False being shown after changes were successfully made.
This commit is contained in:
parent
7551e8c921
commit
cbb94a75fe
1 changed files with 48 additions and 30 deletions
|
@ -244,42 +244,60 @@ def create_user(module, iam, name, pwd, path, key_state, key_count):
|
||||||
return (user_info, changed)
|
return (user_info, changed)
|
||||||
|
|
||||||
|
|
||||||
def delete_user(module, iam, name):
|
def delete_dependencies_first(module, iam, name):
|
||||||
changed = False
|
changed = False
|
||||||
|
# try to delete any keys
|
||||||
try:
|
try:
|
||||||
current_keys = [ck['access_key_id'] for ck in
|
current_keys = [ck['access_key_id'] for ck in
|
||||||
iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata]
|
iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata]
|
||||||
for key in current_keys:
|
for key in current_keys:
|
||||||
iam.delete_access_key(key, name)
|
iam.delete_access_key(key, name)
|
||||||
|
changed = True
|
||||||
|
except boto.exception.BotoServerError as err:
|
||||||
|
module.fail_json(changed=changed, msg="Failed to delete keys: %s" % err, exception=traceback.format_exc())
|
||||||
|
|
||||||
|
# try to delete login profiles
|
||||||
try:
|
try:
|
||||||
login_profile = iam.get_login_profiles(name).get_login_profile_response
|
login_profile = iam.get_login_profiles(name).get_login_profile_response
|
||||||
|
iam.delete_login_profile(name)
|
||||||
|
changed = True
|
||||||
except boto.exception.BotoServerError as err:
|
except boto.exception.BotoServerError as err:
|
||||||
error_msg = boto_exception(err)
|
error_msg = boto_exception(err)
|
||||||
if ('Cannot find Login Profile') in error_msg:
|
if 'Cannot find Login Profile' not in error_msg:
|
||||||
iam.delete_user(name)
|
module.fail_json(changed=changed, msg="Failed to delete login profile: %s" % err, exception=traceback.format_exc())
|
||||||
else:
|
|
||||||
iam.delete_login_profile(name)
|
# try to detach policies
|
||||||
iam.delete_user(name)
|
try:
|
||||||
except Exception as ex:
|
|
||||||
module.fail_json(changed=False, msg="delete failed %s" %ex)
|
|
||||||
if ('must detach all policies first') in error_msg:
|
|
||||||
for policy in iam.get_all_user_policies(name).list_user_policies_result.policy_names:
|
for policy in iam.get_all_user_policies(name).list_user_policies_result.policy_names:
|
||||||
iam.delete_user_policy(name, policy)
|
iam.delete_user_policy(name, policy)
|
||||||
try:
|
changed = True
|
||||||
iam.delete_user(name)
|
|
||||||
except boto.exception.BotoServerError as err:
|
except boto.exception.BotoServerError as err:
|
||||||
error_msg = boto_exception(err)
|
error_msg = boto_exception(err)
|
||||||
if ('must detach all policies first') in error_msg:
|
if 'must detach all policies first' in error_msg:
|
||||||
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
|
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
|
||||||
"that %s has Managed Polices. This is not "
|
"that %s has Managed Polices. This is not "
|
||||||
"currently supported by boto. Please detach the polices "
|
"currently supported by boto. Please detach the polices "
|
||||||
"through the console and try again." % name)
|
"through the console and try again." % name)
|
||||||
else:
|
module.fail_json(changed=changed, msg="Failed to delete policies: %s" % err, exception=traceback.format_exc())
|
||||||
module.fail_json(changed=changed, msg=str(error_msg))
|
|
||||||
else:
|
# try to deactivate associated MFA devices
|
||||||
|
try:
|
||||||
|
mfa_devices = iam.get_all_mfa_devices(name).get('list_mfa_devices_response', {}).get('list_mfa_devices_result', {}).get('mfa_devices', [])
|
||||||
|
for device in mfa_devices:
|
||||||
|
iam.deactivate_mfa_device(name, device['serial_number'])
|
||||||
changed = True
|
changed = True
|
||||||
else:
|
except boto.exception.BotoServerError as err:
|
||||||
module.fail_json(changed=changed, msg=str(error_msg))
|
module.fail_json(changed=changed, msg="Failed to deactivate associated MFA devices: %s" % err, exception=traceback.format_exc())
|
||||||
|
|
||||||
|
return changed
|
||||||
|
|
||||||
|
|
||||||
|
def delete_user(module, iam, name):
|
||||||
|
changed = delete_dependencies_first(module, iam, name)
|
||||||
|
try:
|
||||||
|
iam.delete_user(name)
|
||||||
|
except boto.exception.BotoServerError as ex:
|
||||||
|
module.fail_json(changed=changed, msg="Failed to delete user %s: %s" % (name, ex), exception=traceback.format_exc())
|
||||||
else:
|
else:
|
||||||
changed = True
|
changed = True
|
||||||
return name, changed
|
return name, changed
|
||||||
|
|
Loading…
Reference in a new issue