Terraform: DeleteConflict: Cannot delete entity, must delete login profile first.
Terraform Version
We created the users in version 0.6.5, and upgrade to terraform 0.7.0, currently I have the issue in terraform 0.7.0 with same tf file.
Terraform Configuration Files
Simple iam user created.
resource "aws_iam_user" "abc" {
name = "abc"
}
Now we need remove it. So I just delete above part.
Debug Output
DeleteConflict: Cannot delete entity, must delete login profile first.
So I manually run aws cli to remove the login profile:
aws iam delete-login-profile --user-name abc
Then I got another DeleteConflict:
DeleteConflict: Cannot delete entity, must delete access keys first.
DeleteConflict: Cannot delete entity, must delete MFA device first
and going on
Seems a bug for me.
ozbillwang
All 5 comments
I experienced the same problem when deleting several AWS security groups containing rules with cross references. Terraform tried to delete security group A but it was still being referenced in the rules of security group B. The obvious solution would have been to delete all rules before proceeding with the security groups.
martin-flaregames
on 2 Sep 2016
Is it because we create API key, enable MFA manually after the account to be created by terraform, so with terraform tfstate files, terraform doesn't know these changes?
ozbillwang
on 2 Sep 2016
Hi @SydOps
This is indeed the issue - Terraform shouldn't really destroy information that it doesn't manage. So if you have created extra information after the Terraform user was created. In 0.7.2, we introduced the following:
https://www.terraform.io/docs/providers/aws/r/iam_user.html#force_destroy
This will allow you to force the destruction of the Access Keys _BUT_ it won't destroy the MFA I am afraid. In order to fulfil this specific use case of yours, we would need to force the deletion of anything (e.g MFA, or login policies) before we delete the role
Paul
stack72
on 3 Sep 2016
Thans for the confirmation. I am fine now.
ozbillwang
on 4 Sep 2016
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 22 Apr 2020
Related issues
zeninfinity
ยท
3Comments
pawelsawicz
ยท
3Comments
c4milo
ยท
3Comments
ketzacoatl
ยท
3Comments
cpoole
ยท
3Comments
Most helpful comment
Hi @SydOps
This is indeed the issue - Terraform shouldn't really destroy information that it doesn't manage. So if you have created extra information after the Terraform user was created. In 0.7.2, we introduced the following:
https://www.terraform.io/docs/providers/aws/r/iam_user.html#force_destroy
This will allow you to force the destruction of the Access Keys _BUT_ it won't destroy the MFA I am afraid. In order to fulfil this specific use case of yours, we would need to force the deletion of anything (e.g MFA, or login policies) before we delete the role
Paul