awslabs · dgraeber · Oct 30, 2023 · Oct 27, 2023 · Oct 27, 2023 · Oct 27, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,9 @@ This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a Ch
 - adding support for module-type spec on init of new module `seedfarmer init module -mt cdkv2`
 
 ### Fixes
-
+- skip destroy of managed-project-policy if it has roles attached
+- if managed-project-policy is in an `*_IN_PROCESS` state, wait 60 seconds and check again
+  - bumps `aws-codeseeder~=0.10.2`
 
 ## v2.10.4 (2023-10-23)
 

diff --git a/requirements.txt b/requirements.txt
@@ -6,7 +6,7 @@
 #
 arrow==1.2.3
     # via jinja2-time
-aws-codeseeder==0.10.1
+aws-codeseeder==0.10.2
     # via seed-farmer (setup.py)
 binaryornot==0.4.4
     # via cookiecutter

diff --git a/seedfarmer/commands/_deployment_commands.py b/seedfarmer/commands/_deployment_commands.py
@@ -860,16 +860,15 @@ def destroy(
         reaper_interval=session_timeout_interval,
     )
     destroy_manifest = du.generate_deployed_manifest(deployment_name=deployment_name, skip_deploy_spec=False)
-    _, _, partition = get_sts_identity_info(session=session_manager.toolchain_session)
-    destroy_manifest._partition = partition  # type: ignore
     if destroy_manifest:
+        _, _, partition = get_sts_identity_info(session=session_manager.toolchain_session)
+        destroy_manifest._partition = partition
         destroy_manifest.validate_and_set_module_defaults()
         destroy_deployment(
             destroy_manifest,
             remove_deploy_manifest=True,
             dryrun=dryrun,
             show_manifest=show_manifest,
         )
-
     else:
         _logger.info("Deployment %s was not found, ignoring... ", deployment_name)
diff --git a/seedfarmer/commands/_stack_commands.py b/seedfarmer/commands/_stack_commands.py
@@ -16,7 +16,7 @@
 import logging
 import os
 import time
-from typing import Any, List, Optional, Tuple
+from typing import Any, Dict, List, Optional, Tuple, cast
 
 from aws_codeseeder import EnvVar, EnvVarType, codeseeder, commands, services
 from cfn_tools import load_yaml
@@ -99,10 +99,17 @@ def destroy_managed_policy_stack(account_id: str, region: str) -> None:
     """
     # Determine if managed policy stack already deployed
     session = SessionManager().get_or_create().get_deployment_session(account_id=account_id, region_name=region)
-    project_managed_policy_stack_exists, _ = services.cfn.does_stack_exist(
+    project_managed_policy_stack_exists, stack_outputs = services.cfn.does_stack_exist(
         stack_name=info.PROJECT_MANAGED_POLICY_CFN_NAME, session=session
     )
+    _logger.debug("project_managed_policy_output is : %s", stack_outputs)
+    has_roles_attached = False
     if project_managed_policy_stack_exists:
+        project_managed_policy_arn = stack_outputs.get("ProjectPolicyARN")
+        policy = iam.get_policy_info(policy_arn=project_managed_policy_arn, session=session)
+        has_roles_attached = True if policy and policy["Policy"]["AttachmentCount"] > 0 else False
+
+    if project_managed_policy_stack_exists and not has_roles_attached:
         _logger.info(
             "Destroying Stack %s in Account/Region: %s/%s", info.PROJECT_MANAGED_POLICY_CFN_NAME, account_id, region
         )
@@ -117,6 +124,13 @@ def destroy_managed_policy_stack(account_id: str, region: str) -> None:
             _logger.info(
                 f"Failed to delete project stack {info.PROJECT_MANAGED_POLICY_CFN_NAME}, ignoring and moving on"
             )
+    else:
+        _logger.info(
+            "Stack %s in Account/Region: %s/%s is either not deployed or has roles attached",
+            info.PROJECT_MANAGED_POLICY_CFN_NAME,
+            account_id,
+            region,
+        )
 
 
 def destroy_module_stack(
@@ -307,13 +321,29 @@ def deploy_module_stack(
         seedkit_managed_policy_arn = stack_outputs.get("SeedkitResourcesPolicyArn")
 
     # Extract Project Managed policy name
-    project_managed_policy_stack_exists, stack_outputs = services.cfn.does_stack_exist(
-        stack_name=info.PROJECT_MANAGED_POLICY_CFN_NAME, session=session
-    )
 
-    _logger.debug("project_managed_policy_output is : %s", stack_outputs)
-    if project_managed_policy_stack_exists:
-        project_managed_policy_arn = stack_outputs.get("ProjectPolicyARN")
+    def _check_stack_status() -> Tuple[bool, Dict[str, str]]:
+        return cast(
+            Tuple[bool, Dict[str, str]],
+            services.cfn.does_stack_exist(stack_name=info.PROJECT_MANAGED_POLICY_CFN_NAME, session=session),
+        )
+
+    retries = 3
+    project_managed_policy_arn = None
+    while retries > 0:
+        project_managed_policy_stack_exists, stack_outputs = _check_stack_status()
+        if project_managed_policy_stack_exists:
+            if stack_outputs.get("StackStatus") and "_IN_PROGRESS" in stack_outputs.get("StackStatus"):
+                _logger.info("The managed policy stack is not complete, waiting 30 seconds")
+                time.sleep(30)
+                retries -= 1
+            else:
+                _logger.debug("project_managed_policy_output is : %s", stack_outputs)
+                project_managed_policy_arn = stack_outputs.get("ProjectPolicyARN", None)
+                retries = -1
+        else:
+            _logger.debug("project_managed_policy_output does not exist")
+            retries = -1
 
     if not project_managed_policy_arn:
         raise seedfarmer.errors.InvalidConfigurationError(

diff --git a/seedfarmer/services/_iam.py b/seedfarmer/services/_iam.py
@@ -121,3 +121,14 @@ def detach_inline_policy_from_role(role_name: str, policy_name: str, session: Op
         iam_resource.RolePolicy(role_name, policy_name).delete()
     except Exception as e:
         raise e
+
+
+def get_policy_info(policy_arn: str, session: Optional[Session] = None) -> Dict[str, Any]:
+    iam_client = boto3_client("iam", session=session)
+    try:
+        return cast(Dict[str, Any], iam_client.get_policy(PolicyArn=policy_arn))
+    except iam_client.exceptions.NoSuchEntityException as ne:
+        _logger.info("Policy does not exist: %s ", policy_arn)
+        raise ne
+    except Exception as e:
+        raise e
diff --git a/setup.py b/setup.py
@@ -45,7 +45,7 @@
     keywords=["aws", "cdk"],
     python_requires=">=3.7,<3.12",
     install_requires=[
-        "aws-codeseeder~=0.10.1",
+        "aws-codeseeder~=0.10.2",
         "cookiecutter~=2.1.0",
         "pyhumps~=3.5.0",
         "pydantic~=1.10.0",

diff --git a/test/unit-test/test_commands_stack.py b/test/unit-test/test_commands_stack.py
@@ -59,6 +59,21 @@ def session_manager(sts_client):
 """
 )
 
+manage_policy_json={
+    "Policy": {
+        "PolicyName": "addf-managed-policy-ProjectPolicy-7PSXY0GVW23I",
+        "PolicyId": "ANPAY667V3NQ3CYB253RG",
+        "Arn": "arn:aws:iam::123456789012:policy/addf-managed-policy-ProjectPolicy-7PSXY0GVW23I",
+        "Path": "/",
+        "DefaultVersionId": "v1",
+        "AttachmentCount": 0,
+        "PermissionsBoundaryUsageCount": 0,
+        "IsAttachable": True,
+        "Description": "Managed Policy granting access to build a project",
+        "Tags": []
+    }
+}
+
 
 @pytest.mark.commands
 @pytest.mark.commands_stack
@@ -93,6 +108,7 @@ def test_destroy_managed_policy_stack_not_exists(session_manager, mocker):
 def test_destroy_managed_policy_stack(session_manager, mocker):
     mocker.patch("seedfarmer.commands._stack_commands.services.cfn.does_stack_exist", return_value=[True, {}])
     mocker.patch("seedfarmer.commands._stack_commands.services.cfn.destroy_stack", return_value=None)
+    mocker.patch("seedfarmer.commands._stack_commands.iam.get_policy_info", return_value=manage_policy_json)
     sc.destroy_managed_policy_stack(account_id="123456789012", region="us-east-1")