Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Destroying aws_iam_user_login_profile does not remove the user's password #3856

Closed
tomtomau opened this issue Mar 21, 2018 · 6 comments · Fixed by #7745
Closed

Destroying aws_iam_user_login_profile does not remove the user's password #3856

tomtomau opened this issue Mar 21, 2018 · 6 comments · Fixed by #7745
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Milestone
v2.0.0

Comments

@tomtomau
Copy link

Hi there,

Not sure if I've misinterpreted something in the docs or stumbled upon a bit of a security hole.

Terraform Version

Terraform v0.11.4

  • provider.aws v1.11.0

Affected Resource(s)

  • aws_iam_user_login_profile

Terraform Configuration Files

resource "aws_iam_user" "foo" {
  name                    = "${var.foo_username}"
  force_destroy           = true
}

resource "aws_iam_user_login_profile" "foo" {
  user                    = "${aws_iam_user.foo.name}"
  pgp_key                 = "${var.pgp_key}"
  password_reset_required = false
}

output "password" {
  value = "${aws_iam_user_login_profile.foo.encrypted_password}"
}

Expected Behavior

User should not be able to login with the login profile we just deleted.

Actual Behavior

The user can login with the login profile that was supposedly deleted.

Steps to Reproduce

  1. terraform apply
  2. Take password, decrypt and check that you can login through the console
  3. terraform destroy --target=aws_iam_user_login_profile.foo
  4. Try logging in once more with the same credentials and you will be able to login

Important Factoids

If you follow the below steps, you won't get a password output, which I believe is probably because it's executing this code branch

  1. terraform apply to apply all resources
  2. terraform destroy --target=aws_iam_user_login_profile.foo
  3. terraform apply to recreate the login profile
  4. Assert that the output says the password is an empty string (but it should be an actual value)

References
@bflad bflad added bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. labels Mar 21, 2018
@moritzheiber
Copy link

Generally, the resource should support all available API actions properly. Right now it only supports create, and not even delete.

@bflad bflad mentioned this issue Apr 17, 2018
Closed
@bflad
Copy link
Contributor

bflad commented Feb 13, 2019

Hi folks 👋 Sorry for this long running issue. 😖 I think we will plan on addressing this along with #7536 as the resource desperately needs a major overhaul and its easiest just to bundle the work together. I'm marking as version 2.0.0 to ensure its captured during that maintainer work cycle with the other issue, but we are also willing to look at contributions ahead of time as this is indeed buggy behavior.

@bflad bflad added this to the v2.0.0 milestone Feb 13, 2019
This was referenced Feb 13, 2019
Closed
Closed
bflad added a commit that referenced this issue Feb 27, 2019
@bflad
resource/aws_iam_user_login_profile: Properly read, delete, trigger r…
d65582b 
…esource recreation, and require import for existing infrastructure

References:
* #7536
* #3856

Output from acceptance testing:

```
--- PASS: TestAccAWSUserLoginProfile_notAKey (7.29s)
--- PASS: TestAccAWSUserLoginProfile_keybaseDoesntExist (7.36s)
--- PASS: TestAccAWSUserLoginProfile_PasswordLength (16.86s)
--- PASS: TestAccAWSUserLoginProfile_keybase (16.93s)
--- PASS: TestAccAWSUserLoginProfile_basic (24.81s)
```
@bflad bflad mentioned this issue Feb 27, 2019
Merged
@bflad
Copy link
Contributor

bflad commented Feb 27, 2019

In version 2.0.0 of the Terraform AWS Provider, releasing later this week, the aws_iam_user_login_profile resource will now appropriately delete the login profile in IAM on Terraform resource destroy. 👍

@jkkathi1-zz
Copy link

Destroying aws_access_key_id resource would not destory the access_keys it created , resulting in duplicates . When you re-create the the same user the old keys used to appear on the AWS console .
Upgrading to version 2.0.0 of the AWS provider solved this issue .

@jkkathi1-zz
Copy link

Is there a Github group for AWS providers for terraform where the latest developments can be tracked and notifications can be setup

@ghost
Copy link

ghost commented Mar 31, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 31, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Milestone
v2.0.0
4 participants
@bflad @moritzheiber @tomtomau @jkkathi1-zz