Skip to main content
Last updated: 13 Dec 2022

Remove a user from Puppet

Removing a user from our infrastructure via Puppet is a 2 change process that requires a deploy in the middle. The first change ensures that when Puppet runs the user’s home directory is removed; the second change removes the user from Puppet itself. If the user is just removed from Puppet their files will remain on our servers forever more, unless you perform a workaround.

  1. First find the user manifest in: modules/users/manifests.
  2. Add an entry to the govuk_user class of ensure => absent. Here is an example.
  3. Once this has been raised as a PR and merged, deploy Puppet to all environments.
  4. Create a PR in GOV.UK secrets that removes the user from AWS production hieradata. Follow the instructions in what to do when someone leaves
  5. Create another PR for Puppet that:
  6. Once these have been merged, deploy Puppet again to all environments.

What to do if you miss the ‘ensure absent’ step

If you forgot to apply the ensure => absent step in the instructions above, the user’s home directory will persist on any machine they have SSH’d into in the past. This isn’t inherently bad, but has caused issues with disk space in the past where user had large files in that directory.

Machines will eventually get recycled as they’re scaled up or down, so these directories should naturally start to disappear over time. If there is a need to remove the directories more quickly, you can consider using some of the commands here.

Unfortunately it’s not possible to retrospectively reintroduce the user with a ensure => absent argument, as the user will already have been deleted. Filesystem permissions are done through user IDs rather than names.