Remove a user from Puppet
Removing a user from our infrastructure via Puppet is a 2 change process that requires a deploy in the middle. The first change ensures that when Puppet runs the user’s home directory is removed; the second change removes the user from Puppet itself. If the user is just removed from Puppet their files will remain on our servers forever more, unless you perform a workaround.
- First find the user manifest in: modules/users/manifests.
- Add an entry to the govuk_user class of
ensure => absent. Here is an example.
- Once this has been raised as a PR and merged, deploy Puppet to all environments.
- Create a PR in GOV.UK secrets that:
- Create another PR for Puppet that:
- Removes the user manifest file
- Removes the user from Integration users
- Once these have been merged, deploy Puppet again to all environments.
What to do if you miss the ‘ensure absent’ step
If you forgot to apply the
ensure => absent step in the instructions above,
the user’s home directory will persist on any machine they have SSH’d into in
the past. This isn’t inherently bad, but has caused issues with disk space in
the past where user had large files in that directory.
Machines will eventually get recycled as they’re scaled up or down, so these directories should naturally start to disappear over time. If there is a need to remove the directories more quickly, you can consider using a fabric script.
Unfortunately it’s not possible to retrospectively reintroduce
the user with a
ensure => absent argument, as the user will already have
been deleted. Filesystem permissions are done through user IDs rather than names.