Attempt to clean up CF IAM users

nrb · nrb · commit 5a34a131d5e5 · 2024-12-09T08:56:50.000-05:00
Periodic tests seemed to get into a failure loop because an IAM user
with the same name already existed, which is not allowed. This then
failed the entire CloudFoundation stack. Depite the stack claiming to
have been rolled back, the next iteration would run into the same
problem.

This change includes IAM users in the list of resources we need to
specifically delete in the case of a CloudFoundation failure, just in
case they've leaked

Signed-off-by: Nolan Brubaker &lt;nolan@nbrubaker.com&gt;
diff --git a/test/e2e/shared/aws.go b/test/e2e/shared/aws.go
@@ -474,6 +474,7 @@ func deleteResourcesInCloudFormation(prov client.ConfigProvider, t *cfn_bootstra
 	iamSvc := iam.New(prov)
 	temp := *renderCustomCloudFormation(t)
 	var (
+		iamUsers         []*cfn_iam.User
 		iamRoles         []*cfn_iam.Role
 		instanceProfiles []*cfn_iam.InstanceProfile
 		policies         []*cfn_iam.ManagedPolicy
@@ -484,6 +485,9 @@ func deleteResourcesInCloudFormation(prov client.ConfigProvider, t *cfn_bootstra
 	// temp.Resources is a map. Traversing that directly results in undetermined order.
 	for _, val := range temp.Resources {
 		switch val.AWSCloudFormationType() {
+		case configservice.ResourceTypeAwsIamUser:
+			user := val.(*cfn_iam.User)
+			iamUsers = append(iamUsers, user)
 		case configservice.ResourceTypeAwsIamRole:
 			role := val.(*cfn_iam.Role)
 			iamRoles = append(iamRoles, role)
@@ -498,6 +502,19 @@ func deleteResourcesInCloudFormation(prov client.ConfigProvider, t *cfn_bootstra
 			groups = append(groups, group)
 		}
 	}
+	for _, user := range iamUsers {
+		By(fmt.Sprintf("deleting the following user: %q", user.UserName))
+		repeat := false
+		Eventually(func(gomega Gomega) bool {
+			err := DeleteUser(prov, user.UserName)
+			if err != nil && !repeat {
+				By(fmt.Sprintf("failed to delete user '%q'; reason: %+v", user.UserName, err))
+				repeat = true
+			}
+			code, ok := awserrors.Code(err)
+			return err == nil || (ok && code == iam.ErrCodeNoSuchEntityException)
+		}, 5*time.Minute, 5*time.Second).Should(BeTrue(), fmt.Sprintf("Eventually failed deleting the user: %q", user.UserName))
+	}
 	for _, role := range iamRoles {
 		By(fmt.Sprintf("deleting the following role: %s", role.RoleName))
 		repeat := false
@@ -598,6 +615,24 @@ func detachAllPoliciesForRole(prov client.ConfigProvider, name string) error {
 	return nil
 }
 
+// DeleteUser deletes an IAM user in a best effort manner.
+func DeleteUser(prov client.ConfigProvider, name string) error {
+	iamSvc := iam.New(prov)
+
+	// if role does not exist, return.
+	_, err := iamSvc.GetUser(&iam.GetUserInput{UserName: aws.String(name)})
+	if err != nil {
+		return err
+	}
+
+	_, err = iamSvc.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(name)})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // DeleteRole deletes roles in a best effort manner.
 func DeleteRole(prov client.ConfigProvider, name string) error {
 	iamSvc := iam.New(prov)
