Merge pull request #40730 from ecdavis/boto_iam-delete-virtual-mfa-device

Change boto_iam.user_absent state to delete IAM user's virtual MFA device after deactivation.

salt/modules/boto_iam.py

@@ -54,7 +54,10 @@ from salt.ext.six.moves.urllib.parse import unquote as _unquote  # pylint: disab
 try:
     import boto
     import boto.iam
+    import boto3
+    import botocore
     logging.getLogger('boto').setLevel(logging.CRITICAL)
+    logging.getLogger('boto3').setLevel(logging.CRITICAL)
     HAS_BOTO = True
 except ImportError:
     HAS_BOTO = False
@@ -890,6 +893,31 @@ def deactivate_mfa_device(user_name, serial, region=None, key=None, keyid=None,
         return False
 
 
+def delete_virtual_mfa_device(serial, region=None, key=None, keyid=None, profile=None):
+    '''
+    Deletes the specified virtual MFA device.
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt myminion boto_iam.delete_virtual_mfa_device serial_num
+    '''
+    conn = __utils__['boto3.get_connection_func']('iam')()
+    try:
+        conn.delete_virtual_mfa_device(SerialNumber=serial)
+        log.info('Deleted virtual MFA device {0}.'.format(serial))
+        return True
+    except botocore.exceptions.ClientError as e:
+        log.debug(e)
+        if 'NoSuchEntity' in str(e):
+            log.info('Virtual MFA device {0} not found.'.format(serial))
+            return True
+        msg = 'Failed to delete virtual MFA device {0}.'
+        log.error(msg.format(serial))
+        return False
+
+
 def update_account_password_policy(allow_users_to_change_password=None,
                                    hard_expiry=None, max_password_age=None,
                                    minimum_password_length=None,

salt/states/boto_iam.py

@@ -250,12 +250,19 @@ def user_absent(name, delete_keys=True, delete_mfa_devices=True, delete_profile=
             for d in devices:
                 serial = d['serial_number']
                 if __opts__['test']:
-                    ret['comment'] = ' '.join([ret['comment'], 'IAM user {0} MFA device {1} is set to be deleted.'.format(name, serial)])
+                    ret['comment'] = ' '.join([ret['comment'], 'IAM user {0} MFA device {1} is set to be deactivated.'.format(name, serial)])
                     ret['result'] = None
                 else:
-                    mfa_deleted = __salt__['boto_iam.deactivate_mfa_device'](user_name=name, serial=serial, region=region, key=key, keyid=keyid, profile=profile)
+                    mfa_deactivated = __salt__['boto_iam.deactivate_mfa_device'](user_name=name, serial=serial, region=region, key=key, keyid=keyid, profile=profile)
+                    if mfa_deactivated:
+                        ret['comment'] = ' '.join([ret['comment'], 'IAM user {0} MFA device {1} is deactivated.'.format(name, serial)])
+                if __opts__['test']:
+                    ret['comment'] = ' '.join([ret['comment'], 'Virtual MFA device {0} is set to be deleted.'.format(serial)])
+                    ret['result'] = None
+                else:
+                    mfa_deleted = __salt__['boto_iam.delete_virtual_mfa_device'](serial=serial, region=region, key=key, keyid=keyid, profile=profile)
                     if mfa_deleted:
-                        ret['comment'] = ' '.join([ret['comment'], 'IAM user {0} MFA device {1} are deleted.'.format(name, serial)])
+                        ret['comment'] = ' '.join([ret['comment'], 'Virtual MFA device {0} is deleted.'.format(serial)])
     # delete the user's login profile
     if delete_profile:
         if __opts__['test']: