codeperl
diff --git a/‎localstack/services/cloudformation/engine/template_deployer.py
Lines changed: 23 additions & 4 deletions b/‎localstack/services/cloudformation/engine/template_deployer.py
Lines changed: 23 additions & 4 deletions
diff --git a/‎localstack/services/cloudformation/resource_provider.py
Lines changed: 3 additions & 0 deletions b/‎localstack/services/cloudformation/resource_provider.py
Lines changed: 3 additions & 0 deletions
diff --git a/‎localstack/services/iam/resource_providers/aws_iam_policy.py
Lines changed: 18 additions & 3 deletions b/‎localstack/services/iam/resource_providers/aws_iam_policy.py
Lines changed: 18 additions & 3 deletions
diff --git a/‎localstack/testing/snapshots/transformer_utility.py
Lines changed: 1 addition & 1 deletion b/‎localstack/testing/snapshots/transformer_utility.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/aws/services/cloudformation/api/test_stacks.py
Lines changed: 57 additions & 1 deletion b/‎tests/aws/services/cloudformation/api/test_stacks.py
Lines changed: 57 additions & 1 deletion
@@ -22,6 +22,7 @@
 )
 from localstack.services.cloudformation.resource_provider import (
     Credentials,
+    OperationStatus,
     ResourceProviderExecutor,
     ResourceProviderPayload,
     get_resource_type,
@@ -1358,13 +1359,31 @@ def apply_change(self, change: ChangeConfig, stack: Stack) -> None:
 
         progress_event = executor.deploy_loop(resource_provider_payload)  # noqa
 
+        # TODO: clean up the surrounding loop (do_apply_changes_in_loop) so that the responsibilities are clearer
+        stack_action = get_action_name_for_resource_change(action)
+        match progress_event.status:
+            case OperationStatus.FAILED:
+                stack.set_resource_status(resource_id, f"{stack_action}_FAILED")
+              
8000
  # TODO: remove exception raising here?
+                # TODO: fix request token
+                raise Exception(
+                    f'Resource handler returned message: "{progress_event.message}" (RequestToken: 10c10335-276a-33d3-5c07-018b684c3d26, HandlerErrorCode: InvalidRequest){progress_event.error_code}'
+                )
+            case OperationStatus.SUCCESS:
+                stack.set_resource_status(resource_id, f"{stack_action}_COMPLETE")
+            case OperationStatus.PENDING:
+                # this isn't really a state we use at the moment
+                raise Exception(
+                    f"Usage of currently unsupported operation status detected: {OperationStatus.PENDING}"
+                )
+            case OperationStatus.IN_PROGRESS:
+                raise Exception("Resource deployment loop should not finish in this state")
+            case unknown_status:
+                raise Exception(f"Unknown operation status: {unknown_status}")
+
         # TODO: this is probably already done in executor, try removing this
         resource["Properties"] = progress_event.resource_model
 
-        # update resource status and physical resource id
-        stack_action = get_action_name_for_resource_change(action)
-        stack.set_resource_status(resource_id, f"{stack_action}_COMPLETE")
-
     def create_resource_provider_executor(self) -> ResourceProviderExecutor:
         return ResourceProviderExecutor(
             stack_name=self.stack.stack_name,
 
@@ -641,6 +641,9 @@ def deploy_loop(
 
                 event = self.execute_action(resource_provider, payload)
 
+                if event.status == OperationStatus.FAILED:
+                    return event
+
                 if event.status == OperationStatus.SUCCESS:
 
                     if not isinstance(resource_provider, LegacyResourceProvider):
 
@@ -58,6 +58,14 @@ def create(
         policy_doc = json.dumps(util.remove_none_values(model["PolicyDocument"]))
         policy_name = model["PolicyName"]
 
+        if not any([model.get("Roles"), model.get("Users"), model.get("Groups")]):
+            return ProgressEvent(
+                status=OperationStatus.FAILED,
+                resource_model={},
+                error_code="InvalidRequest",
+                message="At least one of [Groups,Roles,Users] must be non-empty.",
+            )
+
         for role in model.get("Roles", []):
             iam_client.put_role_policy(
                 RoleName=role, PolicyName=policy_name, PolicyDocument=policy_doc
@@ -83,8 +91,6 @@ def read(
     ) -> ProgressEvent[IAMPolicyProperties]:
         """
         Fetch resource information
-
-
         """
         raise NotImplementedError
 
@@ -96,7 +102,16 @@ def delete(
         Delete a resource
         """
         iam = request.aws_client_factory.iam
-        iam.delete_policy(PolicyArn=request.desired_state["Id"])
+
+        model = request.previous_state
+        policy_name = request.previous_state["PolicyName"]
+        for role in model.get("Roles", []):
+            iam.delete_role_policy(RoleName=role, PolicyName=policy_name)
+        for user in model.get("Users", []):
+            iam.delete_user_policy(UserName=user, PolicyName=policy_name)
+        for group in model.get("Groups", []):
+            iam.delete_group_policy(GroupName=group, PolicyName=policy_name)
+
         return ProgressEvent(status=OperationStatus.SUCCESS, resource_model={})
 
     def update(
 
@@ -57,7 +57,7 @@ def key_value(
         :return: KeyValueBasedTransformer
         """
         return KeyValueBasedTransformer(
-            lambda k, v: v if k == key else None,
+            lambda k, v: v if k == key and (v is not None and v != "") else None,
             replacement=value_replacement or _replace_camel_string_with_hyphen(key),
             replace_reference=reference_replacement,
         )
 
@@ -4,8 +4,11 @@
 import botocore.exceptions
 import pytest
 import yaml
+from botocore.exceptions import WaiterError
 
+from localstack.aws.api.cloudformation import Capability
 from localstack.services.cloudformation.engine.yaml_parser import parse_yaml
+from localstack.testing.aws.util import is_aws_cloud
 from localstack.testing.pytest import markers
 from localstack.testing.snapshots.transformer import SortingTransformer
 from localstack.utils.files import load_file
@@ -633,7 +636,7 @@ def test_events_resource_types(deploy_cfn_template, snapshot, aws_client):
 
 
 @markers.aws.validated
-def test_list_parameter_type(aws_client, deploy_cfn_template, cleanups, lambda_su_role):
+def test_list_parameter_type(aws_client, deploy_cfn_template, cleanups):
     stack_name = f"test-stack-{short_uid()}"
     cleanups.append(lambda: aws_client.cloudformation.delete_stack(StackName=stack_name))
     stack = deploy_cfn_template(
@@ -646,3 +649,56 @@ def test_list_parameter_type(aws_client, deploy_cfn_template, cleanups, lambda_s
     )
 
     assert stack.outputs["ParamValue"] == "foo|bar"
+
+
+@markers.aws.validated
+@pytest.mark.skipif(condition=not is_aws_cloud(), reason="rollback not implemented")
+def test_blocked_stack_deletion(aws_client, cleanups, snapshot):
+    """
+    uses AWS::IAM::Policy for demonstrating this behavior
+
+    1. create fails
+    2. rollback fails even though create didn't even provision anything
+    3. trying to delete the stack afterwards also doesn't work
+    4. deleting the stack with retain resources works
+    """
+    cfn = aws_client.cloudformation
+    stack_name = f"test-stacks-blocked-{short_uid()}"
+    policy_name = f"test-broken-policy-{short_uid()}"
+    snapshot.add_transformer(snapshot.transform.cloudformation_api())
+    snapshot.add_transformer(snapshot.transform.regex(policy_name, "<policy-name>"))
+    template_body = load_file(
+        os.path.join(os.path.dirname(__file__), "../../../templates/iam_policy_invalid.yaml")
+    )
+    waiter_config = {"Delay": 1, "MaxAttempts": 20}
+
+    snapshot.add_transformer(snapshot.transform.key_value("PhysicalResourceId"))
+    snapshot.add_transformer(
+        snapshot.transform.key_value("ResourceStatusReason", reference_replacement=False)
+    )
+
+    stack = cfn.create_stack(
+        StackName=stack_name,
+        TemplateBody=template_body,
+        Parameters=[{"ParameterKey": "Name", "ParameterValue": policy_name}],
+        Capabilities=[Capability.CAPABILITY_NAMED_IAM],
+    )
+    stack_id = stack["StackId"]
+    cleanups.append(lambda: cfn.delete_stack(StackName=stack_id, RetainResources=["BrokenPolicy"]))
+    with pytest.raises(WaiterError):
+        cfn.get_waiter("stack_create_complete").wait(StackName=stack_id, WaiterConfig=waiter_config)
+    stack_post_create = cfn.describe_stacks(StackName=stack_id)
+    snapshot.match("stack_post_create", stack_post_create)
+
+    cfn.delete_stack(StackName=stack_id)
+    with pytest.raises(WaiterError):
+        cfn.get_waiter("stack_delete_complete").wait(StackName<
6BB6
/span>=stack_id, WaiterConfig=waiter_config)
+    stack_post_fail_delete = cfn.describe_stacks(StackName=stack_id)
+    snapshot.match("stack_post_fail_delete", stack_post_fail_delete)
+
+    cfn.delete_stack(StackName=stack_id, RetainResources=["BrokenPolicy"])
+    cfn.get_waiter("stack_delete_complete").wait(StackName=stack_id, WaiterConfig=waiter_config)
+    stack_post_success_delete = cfn.describe_stacks(StackName=stack_id)
+    snapshot.match("stack_post_success_delete", stack_post_success_delete)
+    stack_events = cfn.describe_stack_events(StackName=stack_id)
+    snapshot.match("stack_events", stack_events)
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ def key_value(`
`57`	`57`	`:return: KeyValueBasedTransformer`
`58`	`58`	`"""`
`59`	`59`	`return KeyValueBasedTransformer(`
`60`		`- lambda k, v: v if k == key else None,`
	`60`	`+ lambda k, v: v if k == key and (v is not None and v != "") else None,`
`61`	`61`	`replacement=value_replacement or _replace_camel_string_with_hyphen(key),`
`62`	`62`	`replace_reference=reference_replacement,`
`63`	`63`	`)`