[Fleet] Allow to delete orphaned agentless policies

nchaulet · nchaulet · commit db5b8f6702ef · 2026-05-29T11:48:40.000-04:00
diff --git a/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.test.ts b/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.test.ts
@@ -16,6 +16,7 @@ import { createAppContextStartContractMock, createPackagePolicyServiceMock } fro
 import { getPackageInfo } from '../epm/packages';
 import { appContextService, cloudConnectorService } from '..';
 import { agentPolicyService } from '../agent_policy';
+import { agentlessAgentService } from '../agents/agentless_agent';
 
 import { AgentlessPoliciesServiceImpl } from './agentless_policies';
 
@@ -310,6 +311,78 @@ describe('AgentlessPoliciesService', () => {
 
       expect(jest.mocked(agentPolicyService.delete)).toHaveBeenCalledTimes(0);
     });
+
+    it('should clean up orphaned resources when agent policy is not found (404)', async () => {
+      const deleteAgentlessAgentSpy = jest
+        .spyOn(agentlessAgentService, 'deleteAgentlessAgent')
+        .mockResolvedValueOnce(undefined as any);
+
+      jest.mocked(agentPolicyService.get).mockRejectedValueOnce({
+        output: { statusCode: 404 },
+      });
+
+      packagePolicyService.findAllForAgentPolicy.mockResolvedValueOnce([
+        { id: 'orphaned-pp-1' },
+        { id: 'orphaned-pp-2' },
+      ] as any);
+
+      packagePolicyService.delete.mockResolvedValueOnce([
+        { id: 'orphaned-pp-1', success: true },
+        { id: 'orphaned-pp-2', success: true },
+      ] as any);
+
+      const soClient = savedObjectsClientMock.create();
+      const esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
+      const logger = loggingSystemMock.createLogger();
+
+      const agentlessPoliciesService = new AgentlessPoliciesServiceImpl(
+        packagePolicyService,
+        soClient,
+        esClient,
+        logger
+      );
+
+      await agentlessPoliciesService.deleteAgentlessPolicy('orphaned-policy-id');
+
+      expect(jest.mocked(agentPolicyService.delete)).not.toHaveBeenCalled();
+      expect(packagePolicyService.findAllForAgentPolicy).toHaveBeenCalledWith(
+        soClient,
+        'orphaned-policy-id'
+      );
+      expect(packagePolicyService.delete).toHaveBeenCalledWith(
+        soClient,
+        esClient,
+        ['orphaned-pp-1', 'orphaned-pp-2'],
+        expect.objectContaining({ force: true })
+      );
+      expect(deleteAgentlessAgentSpy).toHaveBeenCalledWith('orphaned-policy-id');
+
+      deleteAgentlessAgentSpy.mockRestore();
+    });
+
+    it('should rethrow non-404 errors from agentPolicyService.get', async () => {
+      jest.mocked(agentPolicyService.get).mockRejectedValueOnce({
+        output: { statusCode: 500 },
+        message: 'Internal server error',
+      });
+
+      const soClient = savedObjectsClientMock.create();
+      const esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
+      const logger = loggingSystemMock.createLogger();
+
+      const agentlessPoliciesService = new AgentlessPoliciesServiceImpl(
+        packagePolicyService,
+        soClient,
+        esClient,
+        logger
+      );
+
+      await expect(() =>
+        agentlessPoliciesService.deleteAgentlessPolicy('some-policy-id')
+      ).rejects.toEqual(expect.objectContaining({ output: { statusCode: 500 } }));
+
+      expect(jest.mocked(agentPolicyService.delete)).not.toHaveBeenCalled();
+    });
   });
 
   describe('createAgentlessPolicy with cloud connectors', () => {
diff --git a/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.ts b/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.ts
@@ -11,6 +11,7 @@ import {
   type Logger,
   type RequestHandlerContext,
   type SavedObjectsClientContract,
+  SavedObjectsErrorHelpers,
 } from '@kbn/core/server';
 import type { TypeOf } from '@kbn/config-schema';
 import { v4 as uuidv4 } from 'uuid';
@@ -274,7 +275,18 @@ export class AgentlessPoliciesServiceImpl implements AgentlessPoliciesService {
       ? appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined
       : undefined;
 
-    const agentPolicy = await agentPolicyService.get(this.soClient, policyId);
+    let agentPolicy;
+    try {
+      agentPolicy = await agentPolicyService.get(this.soClient, policyId);
+    } catch (e) {
+      if (SavedObjectsErrorHelpers.isNotFoundError(e)) {
+        this.logger.warn(`Agent policy ${policyId} not found, cleaning up orphaned resources`);
+        await this.deleteOrphanedAgentlessResources(policyId, user);
+        return;
+      }
+      throw e;
+    }
+
     if (!agentPolicy?.supports_agentless) {
       throw new Error(`Policy ${policyId} is not an agentless policy`);
     }
@@ -285,4 +297,28 @@ export class AgentlessPoliciesServiceImpl implements AgentlessPoliciesService {
       user,
     });
   }
+
+  private async deleteOrphanedAgentlessResources(policyId: string, user?: any) {
+    const packagePolicies = await this.packagePolicyService.findAllForAgentPolicy(
+      this.soClient,
+      policyId
+    );
+
+    if (packagePolicies.length > 0) {
+      await this.packagePolicyService.delete(
+        this.soClient,
+        this.esClient,
+        packagePolicies.map((pp) => pp.id),
+        { force: true, user: user ?? undefined }
+      );
+    }
+
+    try {
+      await agentlessAgentService.deleteAgentlessAgent(policyId);
+    } catch (e) {
+      this.logger.warn(
+        `Failed to delete agentless deployment for orphaned policy ${policyId}: ${e.message}`
+      );
+    }
+  }
 }
diff --git a/x-pack/platform/test/fleet_api_integration/apis/agentless/agentless_policies.ts b/x-pack/platform/test/fleet_api_integration/apis/agentless/agentless_policies.ts
@@ -329,6 +329,29 @@ export default function (providerContext: FtrProviderContext) {
         expect(apiCalls[0].url).to.be(`/agentless-api/api/v1/ess/deployments/${policyId}`);
         expect(apiCalls[0].method).to.be('DELETE');
       });
+
+      it('should allow to delete an orphaned agentless policy when agent policy is missing', async () => {
+        // Orphan the policy by directly deleting the agent policy SO
+        await es.delete({
+          index: '.kibana_ingest',
+          id: `fleet-agent-policies:${policyId}`,
+          refresh: 'wait_for',
+        });
+
+        // Verify agent policy is gone
+        await expectToRejectWithNotFound(() => apiClient.getAgentPolicy(policyId));
+
+        // Delete via agentless API should succeed despite missing agent policy
+        await apiClient.deleteAgentlessPolicy(policyId);
+
+        // Verify package policy is cleaned up
+        await expectToRejectWithNotFound(() => apiClient.getPackagePolicy(policyId));
+
+        // Verify agentless API DELETE was called to clean up the deployment
+        expect(apiCalls.length).to.be(1);
+        expect(apiCalls[0].url).to.be(`/agentless-api/api/v1/ess/deployments/${policyId}`);
+        expect(apiCalls[0].method).to.be('DELETE');
+      });
     });
 
     describe('Update Agentless Policy', () => {
