[BB-1367] add delete iam user resource (NEW PERMISSIONS NEEDED) (#89)

* add delete iam user resource

* add ci provisioning and deprovisioning test

* use proper iamClient

* add capabilities and config workflow

Author: agustin-conductor

.github/workflows/capabilities_and_config.yaml

@@ -0,0 +1,45 @@
+name: Generate capabilities and config schema
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  generate_outputs:
+    if: github.actor != 'github-actions[bot]'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.RELENG_GITHUB_TOKEN }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Build
+        run: go build -o connector ./cmd/baton-aws
+
+      - name: Run and save config output
+        run: ./connector config > config_schema.json
+
+      - name: Run and save capabilities output
+        env:
+          BATON_GLOBAL_AWS_SSO_REGION: us-east-1
+          BATON_GLOBAL_REGION: us-east-1
+          BATON_GLOBAL_ACCESS_KEY_ID: my-key-id
+          BATON_GLOBAL_SECRET_ACCESS_KEY: my-secret-key
+        run: ./connector capabilities > baton_capabilities.json
+
+      - name: Commit changes
+        uses: EndBug/add-and-commit@v9
+        with:
+          default_author: github_actions
+          message: "Updating baton config schema and capabilities."
+          add: |
+            config_schema.json
+            baton_capabilities.json

.github/workflows/ci.yaml

@@ -68,3 +68,12 @@ jobs:
           baton-entitlement: 'sso_group:arn:aws:identitystore:us-east-1::d-90679d1878/group/9458d408-40b1-709f-4f45-92be754928e5:member'
           baton-principal: 'arn:aws:identitystore:us-east-1::d-90679d1878/user/54982488-f0d1-70c1-1dd5-6db47f7add45'
           baton-principal-type: 'sso_user'
+      - name: Test IAM user provisioning and deprovisioning
+        uses: ConductorOne/github-workflows/actions/account-provisioning@v3
+        with:
+          connector: ./baton-aws
+          account-email: '[email protected]'
+          account-display-name: 'test-user-ci'
+          account-profile: '{"username": "test-user-ci", "email": "[email protected]"}' 
+          account-type: 'iam_user'
+          search-method: 'display_name'

baton_capabilities.json

@@ -0,0 +1,79 @@
+{
+  "@type":  "type.googleapis.com/c1.connector.v2.ConnectorCapabilities",
+  "resourceTypeCapabilities":  [
+    {
+      "resourceType":  {
+        "id":  "group",
+        "displayName":  "Group",
+        "traits":  [
+          "TRAIT_GROUP"
+        ],
+        "annotations":  [
+          {
+            "@type":  "type.googleapis.com/c1.connector.v2.V1Identifier",
+            "id":  "group"
+          }
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC",
+        "CAPABILITY_PROVISION"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "iam_user",
+        "displayName":  "IAM User",
+        "traits":  [
+          "TRAIT_USER"
+        ],
+        "annotations":  [
+          {
+            "@type":  "type.googleapis.com/c1.connector.v2.SkipEntitlementsAndGrants"
+          },
+          {
+            "@type":  "type.googleapis.com/c1.connector.v2.V1Identifier",
+            "id":  "iam_user"
+          }
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC",
+        "CAPABILITY_ACCOUNT_PROVISIONING",
+        "CAPABILITY_RESOURCE_DELETE"
+      ]
+    },
+    {
+      "resourceType":  {
+        "id":  "role",
+        "displayName":  "IAM Role",
+        "traits":  [
+          "TRAIT_ROLE"
+        ],
+        "annotations":  [
+          {
+            "@type":  "type.googleapis.com/c1.connector.v2.V1Identifier",
+            "id":  "role"
+          }
+        ]
+      },
+      "capabilities":  [
+        "CAPABILITY_SYNC"
+      ]
+    }
+  ],
+  "connectorCapabilities":  [
+    "CAPABILITY_PROVISION",
+    "CAPABILITY_SYNC",
+    "CAPABILITY_ACCOUNT_PROVISIONING",
+    "CAPABILITY_RESOURCE_DELETE"
+  ],
+  "credentialDetails":  {
+    "capabilityAccountProvisioning":  {
+      "supportedCredentialOptions":  [
+        "CAPABILITY_DETAIL_CREDENTIAL_OPTION_NO_PASSWORD"
+      ],
+      "preferredCredentialOption":  "CAPABILITY_DETAIL_CREDENTIAL_OPTION_NO_PASSWORD"
+    }
+  }
+}

pkg/connector/iam_user.go

@@ -288,3 +288,178 @@ func (o *iamUserResourceType) CreateAccount(
 		IsCreateAccountResult: true,
 	}, nil, nil, nil
 }
+
+func (o *iamUserResourceType) Delete(ctx context.Context, resourceId *v2.ResourceId, parentResourceID *v2.ResourceId) (annotations.Annotations, error) {
+	var noSuchEntity *iamTypes.NoSuchEntityException
+	l := ctxzap.Extract(ctx)
+	if resourceId.ResourceType != resourceTypeIAMUser.Id {
+		return nil, fmt.Errorf("aws-connector: only IAM user resources can be deleted")
+	}
+	userName, err := iamUserNameFromARN(resourceId.Resource)
+	if err != nil {
+		return nil, err
+	}
+	awsStringUserName := awsSdk.String(userName)
+
+	iamClient := o.iamClient
+	if parentResourceID != nil {
+		iamClient, err = o.awsClientFactory.GetIAMClient(ctx, parentResourceID.Resource)
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: GetIAMClient failed: %w", err)
+		}
+	}
+
+	// try to fetch the user, if not found then the user has already been deleted
+	user, err := iamClient.GetUser(ctx, &iam.GetUserInput{UserName: awsStringUserName})
+	if err != nil {
+		if errors.As(err, &noSuchEntity) {
+			l.Info("User not found, returning success for delete operation")
+			return nil, nil
+		}
+		return nil, fmt.Errorf("aws-connector: iam.GetUser failed: %w", err)
+	}
+
+	if user.User == nil {
+		return nil, fmt.Errorf("aws-connector: user not found")
+	}
+
+	// To delete a user through the API we'll need to manually delete information associated with it,
+	// which is a 10 step process (9 + delete itself).
+	// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_remove.html#id_users_deleting_cli
+
+	// Permission needed: iam:DeleteLoginProfile
+	_, err = iamClient.DeleteLoginProfile(ctx, &iam.DeleteLoginProfileInput{UserName: awsStringUserName})
+	if err != nil {
+		if !errors.As(err, &noSuchEntity) {
+			return nil, fmt.Errorf("aws-connector: failed to delete login profile: %w", err)
+		}
+		l.Info("login profile not found, skipping")
+	}
+
+	// Delete all access keys
+	// Permission needed: iam:ListAccessKeys, iam:DeleteAccessKey
+	keys, err := iamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list access keys: %w", err)
+	}
+
+	for _, key := range keys.AccessKeyMetadata {
+		_, err = iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{UserName: awsStringUserName, AccessKeyId: awsSdk.String(awsSdk.ToString(key.AccessKeyId))})
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to delete access key: %w", err)
+		}
+	}
+
+	// Delete all signing certificates
+	// Permission needed: iam:ListSigningCertificates, iam:DeleteSigningCertificate
+	certificates, err := iamClient.ListSigningCertificates(ctx, &iam.ListSigningCertificatesInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list signing certificates: %w", err)
+	}
+
+	for _, certificate := range certificates.Certificates {
+		_, err = iamClient.DeleteSigningCertificate(ctx, &iam.DeleteSigningCertificateInput{UserName: awsStringUserName, CertificateId: awsSdk.String(awsSdk.ToString(certificate.CertificateId))})
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to delete signing certificate: %w", err)
+		}
+	}
+
+	// Delete all SSH public keys
+	// Permission needed: iam:ListSSHPublicKeys, iam:DeleteSSHPublicKey
+	sshKeys, err := iamClient.ListSSHPublicKeys(ctx, &iam.ListSSHPublicKeysInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list SSH public keys: %w", err)
+	}
+
+	for _, key := range sshKeys.SSHPublicKeys {
+		_, err = iamClient.DeleteSSHPublicKey(ctx, &iam.DeleteSSHPublicKeyInput{UserName: awsStringUserName, SSHPublicKeyId: awsSdk.String(awsSdk.ToString(key.SSHPublicKeyId))})
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to delete SSH public key: %w", err)
+		}
+	}
+
+	// Delete all service specific credentials
+	// Permission needed: iam:ListServiceSpecificCredentials, iam:DeleteServiceSpecificCredential
+	ssCredentials, err := iamClient.ListServiceSpecificCredentials(ctx, &iam.ListServiceSpecificCredentialsInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list service specific credentials: %w", err)
+	}
+
+	for _, credential := range ssCredentials.ServiceSpecificCredentials {
+		_, err = iamClient.DeleteServiceSpecificCredential(
+			ctx,
+			&iam.DeleteServiceSpecificCredentialInput{
+				UserName:                    awsStringUserName,
+				ServiceSpecificCredentialId: awsSdk.String(awsSdk.ToString(credential.ServiceSpecificCredentialId)),
+			},
+		)
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to delete service specific credential: %w", err)
+		}
+	}
+
+	// If user has MFA, deactivate them
+	// Permission needed: iam:ListMFADevices, iam:DeactivateMFADevice
+	mfaDevices, err := iamClient.ListMFADevices(ctx, &iam.ListMFADevicesInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list MFA devices: %w", err)
+	}
+
+	for _, device := range mfaDevices.MFADevices {
+		_, err = iamClient.DeactivateMFADevice(ctx, &iam.DeactivateMFADeviceInput{UserName: awsStringUserName, SerialNumber: awsSdk.String(awsSdk.ToString(device.SerialNumber))})
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to deactivate MFA device: %w", err)
+		}
+	}
+
+	// Delete users inline policies
+	// Permission needed: iam:ListUserPolicies, iam:DeleteUserPolicy
+	userPolicies, err := iamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list user policies: %w", err)
+	}
+
+	for _, policy := range userPolicies.PolicyNames {
+		_, err = iamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{UserName: awsStringUserName, PolicyName: awsSdk.String(policy)})
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to delete user policy: %w", err)
+		}
+	}
+
+	// List and detach all attached policies
+	// Permission needed: iam:ListAttachedUserPolicies, iam:DetachUserPolicy
+	attachedPolicies, err := iamClient.ListAttachedUserPolicies(ctx, &iam.ListAttachedUserPoliciesInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list attached user policies: %w", err)
+	}
+
+	for _, policy := range attachedPolicies.AttachedPolicies {
+		_, err = iamClient.DetachUserPolicy(ctx, &iam.DetachUserPolicyInput{UserName: awsStringUserName, PolicyArn: awsSdk.String(awsSdk.ToString(policy.PolicyArn))})
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to detach user policy: %w", err)
+		}
+	}
+
+	// Remove the user from any IAM groups
+	// Permission needed: iam:ListGroupsForUser, iam:RemoveUserFromGroup
+	userGroups, err := iamClient.ListGroupsForUser(ctx, &iam.ListGroupsForUserInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to list groups for user: %w", err)
+	}
+
+	for _, group := range userGroups.Groups {
+		_, err = iamClient.RemoveUserFromGroup(ctx, &iam.RemoveUserFromGroupInput{UserName: awsStringUserName, GroupName: awsSdk.String(awsSdk.ToString(group.GroupName))})
+		if err != nil {
+			return nil, fmt.Errorf("aws-connector: failed to remove user from group: %w", err)
+		}
+	}
+
+	// Proceed to delete the user
+	// Permission needed: iam:DeleteUser
+	_, err = iamClient.DeleteUser(ctx, &iam.DeleteUserInput{UserName: awsStringUserName})
+	if err != nil {
+		return nil, fmt.Errorf("aws-connector: failed to delete user: %w", err)
+	}
+
+	return nil, nil
+}