can't make the clean up to succeed

[birojnayak]

Describe the bug

when the 'Application IAM Role: *** Create new *** ' is selected for Beanstalk deployment, the delete-deployment is failing to delete the newly IAM role created.

Expected Behavior

It should delete all resources the cli has created.

Current Behavior

the delete deployment failing...

Reproduction Steps

Used the new CLI,

1. => dotnet aws deploy --project-path . --application-name testthedelete
   opted for the Beanstalk linux with rest default
2. => Deployment succeeded
   3)=> dotnet aws delete-deployment testthedelete --silent

It can't delete the AWS::IAM::Role (the default IAM role) it's creating.

06/28/2022 05:13:14 | DELETE_IN_PROGRESS | AWS::IAM::Role | RecipeAppIAMRole9E73EEFA
06/28/2022 05:13:15 | DELETE_FAILED | AWS::IAM::Role | RecipeAppIAMRole9E73EEFA
06/28/2022 05:13:43 | DELETE_COMPLETE | AWS::ElasticBeanstalk::Application | RecipeBeanstalkApplication3558EA83
06/28/2022 05:13:44 | DELETE_FAILED | AWS::CloudFormation::Stack | testthedelete

Cannot delete entity, must detach all policies first. (Service: AmazonIdentityManagement; Status Code: 409; Error Code: DeleteConflict; Request ID: da4a8d50-7b6d-4c95-8c68-4bc4e7376d8c; Proxy: null)

Possible Solution

No response

Additional Information/Context

No response

Version used

latest

Operating System and version

Windows 10

[normj]

This happens when IAM roles get policies added to them outside of the CloudFormation stack. When the delete happens that is essentially calling a CF stack delete and CloudFormation is unable to delete roles with policies not added as part of the stack.

We could potentially add a pre-step in the delete-deployment command that clears out policies in IAM roles before initiating the CF stack delete.