[management] policy delete cleans policy rules (#3788)

management/server/store/sql_store.go

@@ -1683,18 +1683,26 @@ func (s *SqlStore) SavePolicy(ctx context.Context, lockStrength LockingStrength,
 }
 
 func (s *SqlStore) DeletePolicy(ctx context.Context, lockStrength LockingStrength, accountID, policyID string) error {
-	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
+	return s.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
-		Delete(&types.Policy{}, accountAndIDQueryCondition, accountID, policyID)
+		if err := tx.Where("policy_id = ?", policyID).Delete(&types.PolicyRule{}).Error; err != nil {
-	if err := result.Error; err != nil {
+			return fmt.Errorf("delete policy rules: %w", err)
-		log.WithContext(ctx).Errorf("failed to delete policy from store: %s", err)
+		}
-		return status.Errorf(status.Internal, "failed to delete policy from store")
-	}
 
-	if result.RowsAffected == 0 {
+		result := tx.Clauses(clause.Locking{Strength: string(lockStrength)}).
-		return status.NewPolicyNotFoundError(policyID)
+			Where(accountAndIDQueryCondition, accountID, policyID).
-	}
+			Delete(&types.Policy{})
 
-	return nil
+		if err := result.Error; err != nil {
+			log.WithContext(ctx).Errorf("failed to delete policy from store: %s", err)
+			return status.Errorf(status.Internal, "failed to delete policy from store")
+		}
+
+		if result.RowsAffected == 0 {
+			return status.NewPolicyNotFoundError(policyID)
+		}
+
+		return nil
+	})
 }
 
 // GetAccountPostureChecks retrieves posture checks for an account.