Tracking issue for removing three unused CI IAM users from the mailstrom Pulumi stacks.
Background
The mailstrom Pulumi program provisions a tb_pulumi.iam.UserWithAccessKey CI user in StackAccessPolicies.on_apply across all three stacks (dev, stage, prod). No GitHub Actions workflow in this repo or the wider thunderbird org consumes the resulting credentials.
Investigation results (thunderbird/platform-infrastructure#212):
- CloudTrail: zero events over 90 days across eu-central-1 + us-east-1 for all three users
- Org code search: no references to
mailstrom-ci in any workflow
- Outcome: orphan users — safe to delete without a soak period
Work
- PR: feat/oidc-migration-212 (removing the
on_apply CI user block)
- After merge: run
pulumi up in dev, stage, prod stacks to destroy the users
Acceptance criteria
Tracking issue for removing three unused CI IAM users from the mailstrom Pulumi stacks.
Background
The mailstrom Pulumi program provisions a
tb_pulumi.iam.UserWithAccessKeyCI user inStackAccessPolicies.on_applyacross all three stacks (dev, stage, prod). No GitHub Actions workflow in this repo or the widerthunderbirdorg consumes the resulting credentials.Investigation results (thunderbird/platform-infrastructure#212):
mailstrom-ciin any workflowWork
on_applyCI user block)pulumi upin dev, stage, prod stacks to destroy the usersAcceptance criteria
pulumi uprun in all three stacksaws iam get-user --user-name mailstrom-{dev,stage,prod}-ci --profile mzla-legacyreturnsNoSuchEntityfor eachdocs/oidc-migration-inventory.mdupdated in platform-infrastructure (mailstrom row removed from Unclear/special)