diff --git a/builtin/providers/aws/resource_aws_iam_user.go b/builtin/providers/aws/resource_aws_iam_user.go index 82b502f906..e2ebdd7361 100644 --- a/builtin/providers/aws/resource_aws_iam_user.go +++ b/builtin/providers/aws/resource_aws_iam_user.go @@ -54,7 +54,7 @@ func resourceAwsIamUser() *schema.Resource { Type: schema.TypeBool, Optional: true, Default: false, - Description: "Delete user even if it has non-Terraform-managed IAM access keys and login profile", + Description: "Delete user even if it has non-Terraform-managed IAM access keys, login profile or MFA devices", }, }, } @@ -167,7 +167,7 @@ func resourceAwsIamUserDelete(d *schema.ResourceData, meta interface{}) error { } } - // All access keys and login profile for the user must be removed + // All access keys, MFA devices and login profile for the user must be removed if d.Get("force_destroy").(bool) { var accessKeys []string listAccessKeys := &iam.ListAccessKeysInput{ @@ -193,6 +193,30 @@ func resourceAwsIamUserDelete(d *schema.ResourceData, meta interface{}) error { } } + var MFADevices []string + listMFADevices := &iam.ListMFADevicesInput{ + UserName: aws.String(d.Id()), + } + pageOfMFADevices := func(page *iam.ListMFADevicesOutput, lastPage bool) (shouldContinue bool) { + for _, m := range page.MFADevices { + MFADevices = append(MFADevices, *m.SerialNumber) + } + return !lastPage + } + err = iamconn.ListMFADevicesPages(listMFADevices, pageOfMFADevices) + if err != nil { + return fmt.Errorf("Error removing MFA devices of user %s: %s", d.Id(), err) + } + for _, m := range MFADevices { + _, err := iamconn.DeactivateMFADevice(&iam.DeactivateMFADeviceInput{ + UserName: aws.String(d.Id()), + SerialNumber: aws.String(m), + }) + if err != nil { + return fmt.Errorf("Error deactivating MFA device %s: %s", m, err) + } + } + _, err = iamconn.DeleteLoginProfile(&iam.DeleteLoginProfileInput{ UserName: aws.String(d.Id()), }) diff --git a/website/source/docs/providers/aws/r/iam_user.html.markdown b/website/source/docs/providers/aws/r/iam_user.html.markdown index 69d54e62e2..77de19b530 100644 --- a/website/source/docs/providers/aws/r/iam_user.html.markdown +++ b/website/source/docs/providers/aws/r/iam_user.html.markdown @@ -48,8 +48,8 @@ The following arguments are supported: * `name` - (Required) The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: `=,.@-_.`. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser". * `path` - (Optional, default "/") Path in which to create the user. -* `force_destroy` - (Optional, default false) When destroying this user, destroy - even if it has non-Terraform-managed IAM access keys and login profile. Without `force_destroy` +* `force_destroy` - (Optional, default false) When destroying this user, destroy even if it + has non-Terraform-managed IAM access keys, login profile or MFA devices. Without `force_destroy` a user with non-Terraform-managed access keys and login profile will fail to be destroyed. ## Attributes Reference