In case you have followed all the steps from Part 2 to Part 5 and you wanna remove them all. Here I'll show you how to do it. I'll add variables and tasks for deletion in one tag. If you just wanna delete a specific task, you can add and use more specific tags just like the creation tasks.
The main points of this deletion process are:
Use the same module, then change the state from present to absent.
We have to remove the policy first before we delete a user, group, or even role.
We have to remove the group's members first before we delete a group.
We have to remove the login profile and access key (if exist) before we delete a user.
Why do we have to do all of them? Because access through CLI is not as simple as Console we can do anything directly.
Alright, all we need is just 2 simple things before we are ready to run the playbook.
1. Access Key of All Users
We have 6 users created in total and all of them have access keys. So we need to delete the access key first. To run the delete access key task, we need the access key value of each user. Remember that we have a file named key_list.txt
that contains all users' access keys and secret access keys. So, we can copy directly from the file or we can simply run the following task to get more simple output from the file (optional).
- name: list user's key
shell: 'cat key_list.txt | grep "UserName\|AccessKeyId" | awk "{ print $2 }" | sed "s/,$//"'
register: output_key
tags:
- iam_user_key_list
- debug:
var: output_key.stdout_lines
tags:
- iam_user_key_list
$ ansible-playbook -i host.yml iam.yml -t iam_user_key_list
PLAY [iam] *********************************************************************
TASK [list user's key] *********************************************************
changed: [localhost]
TASK [debug] *******************************************************************
ok: [localhost] => {
"output_key.stdout_lines": [
" \"UserName\": \"name1\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLL5MRZWON\"",
" \"UserName\": \"name2\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLL36LYJKV\"",
" \"UserName\": \"name3\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLCMV33DHV\"",
" \"UserName\": \"name4\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLDJASSSVD\"",
" \"UserName\": \"name5\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLNSZ6RO3F\"",
" \"UserName\": \"name6\"",
" \"AccessKeyId\": \"AKIAZ44MXOFLB6U2TTEU\""
]
}
2. Create deletion tasks
Note*: Please update the access key values of delete user's key
task.
- name: remove all managed policies from role
community.aws.iam_role:
name: "{{ item.name }}"
assume_role_policy_document: "{{ item.file }}"
managed_policies: []
loop:
- { name: IAM_Policy, file: "{{ lookup('file','role_policy.json') }}" }
tags:
- iam_deletion
- name: delete role
community.aws.iam_role:
name: "{{ item.name }}"
assume_role_policy_document: "{{ item.file }}"
state: absent
loop:
- { name: IAM, file: "{{ lookup('file','role_policy.json') }}" }
- { name: IAM_Policy, file: "{{ lookup('file','role_policy.json') }}" }
tags:
- iam_deletion
- name: remove all group members from group with policy attached
community.aws.iam_group:
name: "{{ item.name }}"
managed_policies: "{{ item.policy }}"
purge_users: true
state: present
loop:
- { name: "{{ group3 }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess }
- { name: "{{ group1 }}", policy: arn:aws:iam::01234567890:policy/IAMGetUser_Only }
tags:
- iam_deletion
- name: remove all policies from group
community.aws.iam_group:
name: "{{ item.name }}"
purge_policies: true
state: present
loop:
- { name: "{{ group1 }}" }
- { name: "{{ group2 }}" }
- { name: "{{ group3 }}" }
tags:
- iam_deletion
- name: remove all policies from user
community.aws.iam_user:
name: "{{ item.name }}"
purge_policies: true
state: present
loop:
- { name: "{{ user5 }}" }
- { name: "{{ user3 }}" }
tags:
- iam_deletion
- name: delete inline policy
community.aws.iam_policy:
iam_type: user
iam_name: "{{ item.user }}"
policy_name: "{{ item.name }}"
state: absent
loop:
- { name: IAMListUsers_Roles, user: "{{ user6 }}" }
tags:
- iam_deletion
- name: delete managed policy
community.aws.iam_managed_policy:
policy_name: "{{ item.name }}"
state: absent
loop:
- { name: IAMGetUser_Only }
tags:
- iam_deletion
- name: delete user's login profile
command: aws iam delete-login-profile --user-name "{{ item.name }}"
loop:
- { name: "{{ user1 }}" }
- { name: "{{ user2 }}" }
- { name: "{{ user3 }}" }
- { name: "{{ user4 }}" }
tags:
- iam_deletion
- name: delete user's key
command: aws iam delete-access-key --user-name "{{ item.name }}" --access-key-id "{{ item.key }}"
loop:
- { name: "{{ user1 }}", key: AKIAZ44MXOFLL5MRZWON }
- { name: "{{ user2 }}", key: AKIAZ44MXOFLL36LYJKV }
- { name: "{{ user3 }}", key: AKIAZ44MXOFLCMV33DHV }
- { name: "{{ user4 }}", key: AKIAZ44MXOFLDJASSSVD }
- { name: "{{ user5 }}", key: AKIAZ44MXOFLNSZ6RO3F }
- { name: "{{ user6 }}", key: AKIAZ44MXOFLB6U2TTEU }
tags:
- iam_deletion
- name: delete all users
community.aws.iam_user:
name: "{{ item }}"
state: absent
loop:
- "{{ user1 }}"
- "{{ user2 }}"
- "{{ user3 }}"
- "{{ user4 }}"
- "{{ user5 }}"
- "{{ user6 }}"
tags:
- iam_deletion
- name: delete all groups
community.aws.iam_group:
name: "{{ item }}"
state: absent
loop:
- "{{ group1 }}"
- "{{ group2 }}"
- "{{ group3 }}"
tags:
- iam_deletion
3. Run the Playbook
$ ansible-playbook -i host.yml iam.yml -t iam_deletion
PLAY [iam] *********************************************************************
TASK [remove all managed policies from role] ***********************************
changed: [localhost] => (item={'name': 'IAM_Policy', 'file': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Principal': {'AWS': 'arn:aws:iam::680510583126:user/name5'}}]}})
TASK [delete role] *************************************************************
changed: [localhost] => (item={'name': 'IAM', 'file': '{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": "sts:AssumeRole",\n "Principal": { "AWS": "arn:aws:iam::"{{ role_account_id }}":user/"{{ role_user }}"" },\n }\n ]\n}'})
changed: [localhost] => (item={'name': 'IAM_Policy', 'file': '{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": "sts:AssumeRole",\n "Principal": { "AWS": "arn:aws:iam::"{{ role_account_id }}":user/"{{ role_user }}"" },\n }\n ]\n}'})
TASK [remove all group members from group with policy attached] ****************
changed: [localhost] => (item={'name': 'engineer', 'policy': 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'})
changed: [localhost] => (item={'name': 'developer', 'policy': 'arn:aws:iam::680510583126:policy/IAMGetUser_Only'})
TASK [remove all policies from group] ******************************************
changed: [localhost] => (item={'name': 'developer'})
changed: [localhost] => (item={'name': 'programmer'})
changed: [localhost] => (item={'name': 'engineer'})
TASK [remove all policies from user] *******************************************
changed: [localhost] => (item={'name': 'name5'})
changed: [localhost] => (item={'name': 'name3'})
TASK [delete inline policy] ****************************************************
changed: [localhost] => (item={'name': 'IAMListUsers_Roles', 'user': 'name6'})
TASK [delete managed policy] ***************************************************
changed: [localhost] => (item={'name': 'IAMGetUser_Only'})
TASK [delete user's login profile] *********************************************
changed: [localhost] => (item={'name': 'name1', 'pass': 'passwordup2U!'})
changed: [localhost] => (item={'name': 'name2', 'pass': 'passwordup2U!'})
changed: [localhost] => (item={'name': 'name3', 'pass': 'passwordup2U!'})
changed: [localhost] => (item={'name': 'name4', 'pass': 'passwordup2U!'})
TASK [delete user's key] *******************************************************
changed: [localhost] => (item={'name': 'name1', 'key': 'AKIAZ44MXOFLL5MRZWON'})
changed: [localhost] => (item={'name': 'name2', 'key': 'AKIAZ44MXOFLL36LYJKV'})
changed: [localhost] => (item={'name': 'name3', 'key': 'AKIAZ44MXOFLCMV33DHV'})
changed: [localhost] => (item={'name': 'name4', 'key': 'AKIAZ44MXOFLDJASSSVD'})
changed: [localhost] => (item={'name': 'name5', 'key': 'AKIAZ44MXOFLNSZ6RO3F'})
changed: [localhost] => (item={'name': 'name6', 'key': 'AKIAZ44MXOFLB6U2TTEU'})
TASK [delete all users] ********************************************************
changed: [localhost] => (item=name1)
changed: [localhost] => (item=name2)
changed: [localhost] => (item=name3)
changed: [localhost] => (item=name4)
changed: [localhost] => (item=name5)
changed: [localhost] => (item=name6)
TASK [delete all groups] *******************************************************
changed: [localhost] => (item=developer)
changed: [localhost] => (item=programmer)
changed: [localhost] => (item=engineer)
That's a wrap! Thanks for following all parts of this series. Follow me to get notified when a new post is published by me! Thank you!
Top comments (0)