Relates only to data on residing fundraising systems
[] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation.
[] Archive off any data that should be retained
[] Remove other data associated with the user (ie, scratch databases, etc)

Relates only to processes executing on fundraising systems
[-] Identify any business essential processes running as the user
[-] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.)
[-] Transfer any business essential processes to a new user or service account
[-] Remove any cronjobs or ongoing process executions tied to the user

Shell account specifically
[-] account_setup:
    [-] Mark the user as _ensure: 'absent'_ in the users.yaml file.
    [-] Remove the user entries in the group_members.yaml file as appropriate.
    [-] Push out puppet changes.
    [-] Remove the user principal from kerberos as appropriate.

Provides access to multiple services
[x] Revoke the cert on frpm1001 using:  ssl_user_admin revoke username
[x] Check in the updated CRL to puppet-private
[x] Push out puppet changes.

Requires: useraccount
Just covering fundraising systems. ITS handles use of yubikey with any other systems
[-] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
[-] Push out the puppet changes.

Only related to fundraising systems
Requires: useraccount, yubikey
[-] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
[-] Push out the puppet changes.

Requires: useraccount, yubikey, ssh
[-] account_setup
    [-] Mark user as 'remove' => 1, in appropriate grant files
    [-] For cleanliness you can remove user from all rights blocks on dbs.
    [-] Run the grant script to get the grants.
    [-] Copy/paste to execute the grants or run the grants on the appropriate primary db
[-] user_data
    [-] Determine if there are any user specific dbs that need retention
    [-] Archive off any dbs that are no longer needed with expiration set

Requires: client_ssl_cert
[x] Change user account to Blocked
[x] Remove from any campaign notifications.
    [x] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
    [x] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list
[-] Remove from large donantion notifications.
    [-] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure

Requires: client_ssl_cert
[x] account_setup
    [x] Mark user account as inactive
[x] archive_access
    [x] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA

fr-tech-failmail (possibly others)
[] Production lists
    [] Remove from list in production private puppet repo
    [] Push out change
[] Fail Mail
    [] grep the puppet repo for instances of the user's account
    [] Remove instances
    [] Push out change
[] civicrm
    [] Remove from civicrm failmail recipients
        https://civicrm.wikimedia.org/admin/config/wmf_common/configure

Requires: useraccount, yubikey, ssh
[-] remove user port mapping in hieradata/hostname/fran1001.yaml
[-] remove user password mapping in manifests/passwords/jupyter.pp

Some processors have multiple consoles
[] acoustic
[] adyen
[] apple
[] braintree
[] dlocal
[] ingenico
[] paypal