How do I remove a user from Reference Architecture?

[timrwilliams]

I would like to remove a user account from the reference architecture setup. I have removed their entry from users.yml but when running terragrunt apply I receive the below error:

 Error: Error deleting IAM User x.x: DeleteConflict: Cannot delete entity, must remove tokens from principal first.
│ 	status code: 409, request id: e5ca38f3-0059-4fd2-ac39-ae2528dbbeab

I note in the underlying terraform docs there is a mention of a "force_destroy" process but not sure how to translate that to the Reference Architecture flow.

---

Tracked in ticket #110231

[pete0emerson]

Since MFA tokens are likely created outside of Terraform, you will need to delete these prior to running terraform to remove the account.

I wrote a script for you to handle this a bit easier than Click Ops in the console. I added in deletion of access keys as well, just in case those have to be removed prior to user deletion as well. Extend as you see fit, of course! This script just echoes to the screen, but can trivially be modified to actually run the aws commands.

#!/bin/bash

user=$1

if [[ -z $user ]] ; then
	echo "Specify user to remove access keys and tokens from."
	exit 0
fi

# Check to see if the user exists
aws iam get-user --user-name $user > /dev/null
if [[ $? -ne 0 ]] ; then
	# If there's an error, we'll see the problem (likely NoSuchEntity) sent to STDERR
	exit 1
fi

mfas=$(aws iam list-mfa-devices --user-name $user | grep SerialNumber | cut -d : -f 2- | sed 's/[ ",]//g')
for mfa in $mfas ; do
	echo "aws iam deactivate-mfa-device --user-name $user --serial-number $mfa"
	echo "aws iam delete-virtual-mfa-device --serial-number $mfa"
done

keys=$(aws iam list-access-keys --user-name $user | grep AccessKeyId | cut -d : -f 2 | sed 's/[ ",]//g')
for key in $keys ; do
	echo "aws iam delete-access-key --user-name $user --access-key-id $key"
done