cisco.ios.ios_users module seems to be issuing ssh pubkey command when removing users

[rbh1981]

SUMMARY

When using cisco.ios.ios_users module to purge users, the commands seem to be adding 'ip ssh pubkey-chain'

ISSUE TYPE

• Bug Report

COMPONENT NAME

cisco.ios.ios_user

ANSIBLE VERSION

ansible [core 2.16.7]
  config file = /home/azureuser/ansible/compliance/ansible.cfg
  configured module search path = ['/home/azureuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/azureuser/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/azureuser/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/azureuser/.local/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True

COLLECTION VERSION

# /home/azureuser/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.ios  9.0.0  

CONFIGURATION

CONFIG_FILE() = /home/azureuser/ansible/compliance/ansible.cfg
DEFAULT_GATHERING(/home/azureuser/ansible/compliance/ansible.cfg) = explicit
DEFAULT_HOST_LIST(/home/azureuser/ansible/compliance/ansible.cfg) = ['/home/azureuser/ansible/compliance/hosts.yaml']
DEFAULT_JINJA2_EXTENSIONS(/home/azureuser/ansible/compliance/ansible.cfg) = jinja2.ext.loopcontrols,jinja2.ext.do
DEFAULT_VAULT_PASSWORD_FILE(env: ANSIBLE_VAULT_PASSWORD_FILE) = /home/azureuser/.vault/vault_pass
DISPLAY_SKIPPED_HOSTS(/home/azureuser/ansible/compliance/ansible.cfg) = False
DUPLICATE_YAML_DICT_KEY(/home/azureuser/ansible/compliance/ansible.cfg) = error
EDITOR(env: EDITOR) = nano
HOST_KEY_CHECKING(/home/azureuser/ansible/compliance/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/home/azureuser/ansible/compliance/ansible.cfg) = 30
PERSISTENT_CONNECT_TIMEOUT(/home/azureuser/ansible/compliance/ansible.cfg) = 60
RETRY_FILES_ENABLED(/home/azureuser/ansible/compliance/ansible.cfg) = False

OS / ENVIRONMENT

Cisco IOSv Version 15.9(3)M3

STEPS TO REPRODUCE

Configure a test user on a Cisco IOS devices e.g.
username test privilege 15 secret

Run example playbook and print command results

- name: "Play to configure device compliance settings"
  hosts: ios
  gather_facts: false

  tasks:
    - name: "Remove all unapproved users"
      cisco.ios.ios_user:
        aggregate:
          - name: "backup"
        purge: true
      register: results
      tags:
        - users

    - name: "Print removed local users"
      ansible.builtin.debug:
        msg: "{{ results }}"
      when:
        - results.changed | bool
        - results.commands is defined
      tags:
        - users

EXPECTED RESULTS

Command output should only issue command 'no username test'

ACTUAL RESULTS

Command output shows extra command 'ip ssh pubkey-chain'

ok: [R1] => {
    "msg": {
        "changed": true,
        "commands": [
            "ip ssh pubkey-chain",
            "no username test",
            "exit",
            {
                "answer": "y",
                "command": "no username test",
                "newline": false,
                "prompt": "This operation will remove all username related configurations with same name"
            }
        ],
        "failed": false
    }
}

[Syl4r-v]

I also noticed this. Because of the logic, a user without ssh key will not get purged. Module assumes that all the users that are purged have ssh key. This need to be replaced so that it also does the no -command to the username in the main config level, no only under "ip ssh pubkey-chain"