Fix service linked role deletion

dfangl · dfangl · commit a6bae2be9111 · 2025-03-13T17:20:27.000+01:00
diff --git a/localstack-core/localstack/services/iam/provider.py b/localstack-core/localstack/services/iam/provider.py
@@ -4,6 +4,7 @@
 import random
 import re
 import string
+import uuid
 from datetime import datetime
 from typing import Any, Dict, List, TypeVar
 from urllib.parse import quote
@@ -79,7 +80,6 @@
 from localstack.services.iam.resources.service_linked_roles import SERVICE_LINKED_ROLES
 from localstack.services.moto import call_moto
 from localstack.utils.aws.request_context import extract_access_key_id_from_auth_header
-from localstack.utils.common import short_uid
 
 LOG = logging.getLogger(__name__)
 
@@ -375,15 +375,18 @@ def create_service_linked_role(
     def delete_service_linked_role(
         self, context: RequestContext, role_name: roleNameType, **kwargs
     ) -> DeleteServiceLinkedRoleResponse:
-        # TODO: test
         backend = get_iam_backend(context)
+        role = backend.get_role(role_name=role_name)
+        role.managed_policies.clear()
         backend.delete_role(role_name)
-        return DeleteServiceLinkedRoleResponse(DeletionTaskId=short_uid())
+        return DeleteServiceLinkedRoleResponse(
+            DeletionTaskId=f"task{role.path}{role.name}/{uuid.uuid4()}"
+        )
 
     def get_service_linked_role_deletion_status(
         self, context: RequestContext, deletion_task_id: DeletionTaskIdType, **kwargs
     ) -> GetServiceLinkedRoleDeletionStatusResponse:
-        # TODO: test
+        # TODO: check if task id is valid
         return GetServiceLinkedRoleDeletionStatusResponse(Status=DeletionTaskStatusType.SUCCEEDED)
 
     def put_user_permissions_boundary(
diff --git a/tests/aws/services/iam/test_iam.py b/tests/aws/services/iam/test_iam.py
@@ -10,9 +10,11 @@
 from localstack.services.iam.iam_patches import ADDITIONAL_MANAGED_POLICIES
 from localstack.testing.aws.util import create_client_with_keys, wait_for_user
 from localstack.testing.pytest import markers
+from localstack.testing.snapshots.transformer_utility import PATTERN_UUID
 from localstack.utils.aws.arns import get_partition
 from localstack.utils.common import short_uid
 from localstack.utils.strings import long_uid
+from localstack.utils.sync import retry
 
 LOG = logging.getLogger(__name__)
 
@@ -1387,6 +1389,27 @@ def test_service_role_lifecycle_custom_suffix_not_allowed(
             )
         snapshot.match("custom-suffix-not-allowed", e.value.response)
 
+    @markers.aws.validated
+    def test_service_role_deletion(self, aws_client, snapshot, create_service_linked_role):
+        """Testing deletion only with one service name to avoid undeletable service linked roles in developer accounts"""
+        snapshot.add_transformer(snapshot.transform.regex(PATTERN_UUID, "<uuid>"))
+        service_name = "batch.amazonaws.com"
+        role_name = create_service_linked_role(AWSServiceName=service_name)["Role"]["RoleName"]
+
+        response = aws_client.iam.delete_service_linked_role(RoleName=role_name)
+        snapshot.match("service-linked-role-deletion-response", response)
+        deletion_task_id = response["DeletionTaskId"]
+
+        def wait_role_deleted():
+            response = aws_client.iam.get_service_linked_role_deletion_status(
+                DeletionTaskId=deletion_task_id
+            )
+            assert response["Status"] == "SUCCEEDED"
+            return response
+
+        response = retry(wait_role_deleted, retries=10, sleep=1)
+        snapshot.match("service-linked-role-deletion-status-response", response)
+
     @markers.aws.validated
     def test_service_role_already_exists(self, aws_client, snapshot, create_service_linked_role):
         service_name = "batch.amazonaws.com"
diff --git a/tests/aws/services/iam/test_iam.snapshot.json b/tests/aws/services/iam/test_iam.snapshot.json
@@ -6222,5 +6222,24 @@
         }
       }
     }
+  },
+  "tests/aws/services/iam/test_iam.py::TestIAMServiceRoles::test_service_role_deletion": {
+    "recorded-date": "13-03-2025, 16:11:23",
+    "recorded-content": {
+      "service-linked-role-deletion-response": {
+        "DeletionTaskId": "task/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch/<uuid>",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      },
+      "service-linked-role-deletion-status-response": {
+        "Status": "SUCCEEDED",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      }
+    }
   }
 }
diff --git a/tests/aws/services/iam/test_iam.validation.json b/tests/aws/services/iam/test_iam.validation.json
@@ -65,6 +65,9 @@
   "tests/aws/services/iam/test_iam.py::TestIAMServiceRoles::test_service_role_already_exists": {
     "last_validated_date": "2025-03-13T15:18:42+00:00"
   },
+  "tests/aws/services/iam/test_iam.py::TestIAMServiceRoles::test_service_role_deletion": {
+    "last_validated_date": "2025-03-13T16:11:22+00:00"
+  },
   "tests/aws/services/iam/test_iam.py::TestIAMServiceRoles::test_service_role_lifecycle": {
     "last_validated_date": "2025-03-11T13:49:49+00:00"
   },

Original file line number	Diff line number	Diff line change
`@@ -6222,5 +6222,24 @@`
`6222`	`6222`	`}`
`6223`	`6223`	`}`
`6224`	`6224`	`}`
	`6225`	`+ },`
	`6226`	`+ "tests/aws/services/iam/test_iam.py::TestIAMServiceRoles::test_service_role_deletion": {`
	`6227`	`+ "recorded-date": "13-03-2025, 16:11:23",`
	`6228`	`+ "recorded-content": {`
	`6229`	`+ "service-linked-role-deletion-response": {`
	`6230`	`+ "DeletionTaskId": "task/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch/<uuid>",`
	`6231`	`+ "ResponseMetadata": {`
	`6232`	`+ "HTTPHeaders": {},`
	`6233`	`+ "HTTPStatusCode": 200`
	`6234`	`+ }`
	`6235`	`+ },`
	`6236`	`+ "service-linked-role-deletion-status-response": {`
	`6237`	`+ "Status": "SUCCEEDED",`
	`6238`	`+ "ResponseMetadata": {`
	`6239`	`+ "HTTPHeaders": {},`
	`6240`	`+ "HTTPStatusCode": 200`
	`6241`	`+ }`
	`6242`	`+ }`
	`6243`	`+ }`
`6225`	`6244`	`}`
`6226`	`6245`	`}`