Support for deleted/non-existant IAM group

[nicholascowan]

This allows the import logic to work if a group has been deleted or does not exist (optional group)

It does so by combining stdout and stderr and stripping any lines which contain "(NoSuchEntity)", as AWSCLI will return the following:

An error occurred (NoSuchEntity) when calling the GetGroup operation: The group with name NonExistantGroup cannot be found.

If this particular solution is declined, can we support this functionality in some other way? Thanks.

[nicholascowan]

This may have some issues with other types of permissions errors (other than NoSuchEntity on GetGroup), but it is a proof of concept really, any solution to allowing group failure to pass through would be appreciated.

[nicholascowan]

Implemented a much cleaner solution, which doesn't suppress the stderr, if you choose to accept this in some form it should be easy to modify the boolean logic of the condition to make this an optional behavior.

[michaelwittig]

Just one question before we start: What is the current behaviour? I expect import_users to fail if the group is deleted?

[nicholascowan]

Just one question before we start: What is the current behaviour? I expect import_users to fail if the group is deleted?

The proposed changes allows import_users script to not fail when encountering a deleted and/or non-existent group. It will still get IAM Users from other groups, so if 2 of the 4 exist, it will work for those 2 just fine.

[nicholascowan]

Any update to this investigation? Looking forward to using this repo instead of my personal fork.

[michaelwittig]

I usually prefer "fail fast" over skipping errors. My opinion: If there is a group that does not exists this is a configuration issue that should be fixed.