Chef: how to manage code that *removes* users

Question

In Chef, managing users is straight-forward when it comes to adding them, but I'm unsure of how to effectively manage the codebase when it comes to removing them. Say I have a user resource:

user 'jane' do
  action :create
end

This will create Jane's user, but what if Jane leaves the company? If I understand how the resource works, I can't just remove these lines from the recipe - I'd have to change the block to:

user 'jane' do
  action :remove
end

Is this sustainable if I have to manage a larger number of users? It seems like I'd have to remember to go in and change this block, then go in and remove this code once the recipe has been used on all relevant nodes, since once the user is gone the code isn't doing anything.

What's more, if I have a loop like this:

node['users'].each do |name|
  user name do 
    action :create
  end
end

I would have to split individual users' names out of the attribute and add their own block to the recipe to remove them, then remember to remove that block once all nodes have converged.

Am I understanding the process correctly or is there a better way to manage user resources?

Answer 1

No, this isn't sustainable eventually. Any place big enough to worry about user turnover should already have switched to LDAP for centralized user management. It's terrible, but it's still basically the best we have. Usually this also goes hand-in-hand with an Active Directory server for other things and gets used on the side for Unix user management.