ZombieLab CreateIAMUsers Custom Resource Lambda leaves things a bad state on failure

[sjmcgrath]

trafficstars

Summary

CreateZombieWorkshop.json fails to create if password policy is violated by IAM User created by Custom Resource. The Custom Resource does not clean up properly after itself on failure and subsequent attempts to create the Stack (with the same Stack name) will fail because IAM User and Group already exist with the same name.

Steps to Reproduce

1. Set a password policy that isn't fulfilled by IamUsers/create.js#L12
2. Create a stack from CreateZombieWorkshop.json

Actual Result

• Create CreateIAMUsers Custom Resources fails to create
• In CloudWatch Logs we see that the createLoginProfile failed (although it doesn't provide the reason why even though the API returns why)
• IAM Group created by Lambda isn't removed
• IAM User created by Lambda isn't removed

To Improve

• the Lambda needs to handle failure on create so that any resources it has already created are removed
• there should be better logging for any such failure to make debugging easier
• Ahh! The password is hardcoded in the Lambda. Maybe pass it in as a NoEcho Parameter? Do we even need to create a login profile for these IAM Users?

[sjmcgrath]

CloudTrail Event log for the actual failure that initiated the described problems. event.json