Resources are not removed when unlinking the security policy project

Why are we doing this work

Related issue: https://gitlab.com/gitlab-com/account-management/emea/travis-perkins/tp-pov/-/issues/15

At the moment linking a project to a security policy project cause both scan result and scan execution resources to be persisted via a background job.

The link happens through the associative table Security::OrchestrationPolicyConfiguration and some of the resources created are: ApprovalProjectRule and Security::OrchestrationPolicyRuleSchedule.

Through the UI there is an option to unlink those projects and from the user perspective it would also mean the removal of the resources previously created:

However currently unlink only deletes the record from the Security::OrchestrationPolicyConfiguration table.

Suggested approaches

1. Clean up the resources on the project level as part of the Security::Orchestration::UnassignService
2. Add a checkbox in the UI to determine whether or not related resources should also be deleted. This could also include a new parameter for the graphql mutation Mutations::SecurityPolicy::UnassignSecurityPolicyProject.
3. Preserving Security::OrchestrationPolicyConfiguration record while setting security_orchestration_policy_configuration_id to nil thus still relying on the Security::CreateOrchestrationPolicyWorker for the deletion of existing resources. This approach would probably require another sync job for cleaning those Security::OrchestrationPolicyConfiguration orphans records.

Workaround

1. Instead of unlinking the project, users have to first either disable or remove scan result policies.
2. Then after the approval rules have been synced (removed in this case), MRs won't require those approvals.
3. Finally the user can unlink the security policy project.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Verification steps