[8.x] [Cloud Security] Agentless integration deletion flow (elastic#1…

…91557) (elastic#194629)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Cloud Security] Agentless integration deletion flow
(elastic#191557)](elastic#191557)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Lola","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-01T18:38:07Z","message":"[Cloud
Security] Agentless integration deletion flow (elastic#191557)\n\n##
Summary\r\n\r\nSummarize your PR. If it involves visual changes include
a screenshot or\r\ngif.\r\nThis PR is completes the deletion flow for
Agentless CSPM.\r\n\r\n**Current Agentless Integraton deletion flow**:
\r\n\r\n1. Successfully delete integration policy\r\n2. Successfully
unenrolls agent from agent policy \r\n3. Successfully revokes enrollment
token\r\n4. Successfully deletes agentless deployment\r\n5. Successfully
deletes agent policy \r\n6. Successful notification shows when deleted
integration policy is\r\nsuccessful\r\n\r\n\r\n## Agentless Agent API
\r\n- Unenrolls agent and revokes token first to avoid 404 save
object\r\nclient error.\r\n- Update `is_managed` property to no longer
check for\r\n`agentPolicy.supports_agentless`. Agentless policies will
now be a\r\nregular policy.\r\n- Adds logging for DELETE agentless Agent
API endpoint \r\n- Adds agentless API deleteendpoint using try & catch.
No errors will be\r\nthrown. Agent status will become offline after
deployment deletion\r\n- If agentless deployment api fails, then we will
continue to delete the\r\nagent policy\r\n\r\n## UI
Changes\r\n\r\n**CSPM Integration** \r\n- Updates Agent Policy Error
toast notification title \r\n- Updates Agent Policy Error toast
notification message \r\n\r\n<img width=\"1612\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0003ce04-c53c-4e11-8363-ddc25ba342a7\">\r\n\r\n**Edit
Mode**\r\n- Adds back the Agentless selector in Edit
Integration\r\n\r\n<img width=\"1316\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0d2f20ce-32fc-421c-a15a-48ca6226b67f\">\r\n\r\n**Integration
Policies Page**\r\n- Removes automatic navigation to agent policies page
when deleting an\r\nintegration. In 8.17, we have a ticket to [hide the
agentless
agent\r\npolicies.](https://github.com/elastic/security-team/issues/9857)\r\n-
Enables delete button when deleting package policy with agents
for\r\nagentless policies\r\n- Disables Upgrade Action\r\n- Removes Add
Agent Action\r\n\r\n<img width=\"1717\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/1b7ac4c7-e8bc-41b8-836f-4d3c79a449dd\">\r\n\r\n<img
width=\"670\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0ab6a4c4-d7c6-43ea-9537-67e7fbcca2b0\">\r\n\r\n\r\n**Agent
Policies Page**\r\n- Updates messaging when deleting the agentless
policy from agent policy\r\npage. Warning users that deleting agentless
policy will also delete the\r\nintegration and unenroll agent.\r\n-
Enables delete button when deleting agentless policy with agents
for\r\nagentless policies\r\n- Removes Add agent menu action\r\n-
Removes Upgrade policy menu action\r\n- Removes Uninstall agent
action\r\n- Removes Copy policy menu action\r\n\r\n<img width=\"1595\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/2f195da2-4594-4f54-8f8d-7995e829a5ac\">\r\n<img
width=\"1365\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/4915642d-41e8-4e83-80f9-f334cb879506\">\r\n\r\n\r\n**Agent
Policy Settings**\r\nFor agent policy that are agentless, we disabled
the following
[fleet\r\nactions:](https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-types)\r\n-
Disables Agent monitoring\r\n- Disables Inactivity timeout\r\n- Disables
Fleet Server\r\n- Disables Output for integrations\r\n- Disables Output
for agent monitoring\r\n- Disables Agent binary download\r\n- Disables
Host name format\r\n- Disables Inactive agent unenrollment timeout \r\n-
Disables Advanced Settings - Limit CPU usage\r\n- Disables HTTP
monitoring endpoint\r\n- Disables Agent Logging\r\n\r\n<img
width=\"1569\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/2639be9f-ea10-4d42-b379-a13c4c2b08a1\">\r\n<img
width=\"1517\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/ae6f3e10-8c2b-42fe-8f27-7e8621d373c0\">\r\n\r\n**Agents
Page**\r\n\r\n- Disables Assign to Policy action\r\n- Disables Upgrade
Policy action\r\n- Removes Unassign agent action\r\n- Removes agentless
policies where user can add agent to agentless\r\npolicy\r\n\r\n<img
width=\"1710\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/61bf2d06-d337-45dd-8255-499db1e1ed42\">\r\n<img
width=\"1723\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/cc76787f-d6a2-44fb-9289-7f1f643620ec\">\r\n\r\n\r\n###
How to test in Serverless\r\n Use vault access and open the security
Project in
[build\r\n]([Buildkite\r\nBuild](https://buildkite.com/elastic/kibana-pull-request/builds/234438))\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"6742f770497a946de2d21aa39985243eec2b9f7b","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Fleet","v9.0.0","release_note:feature","Team:Cloud
Security","backport:prev-minor","ci:build-cloud-image","ci:cloud-redeploy","ci:project-deploy-security","v8.16.0"],"title":"[Cloud
Security] Agentless integration deletion
flow","number":191557,"url":"https://github.com/elastic/kibana/pull/191557","mergeCommit":{"message":"[Cloud
Security] Agentless integration deletion flow (elastic#191557)\n\n##
Summary\r\n\r\nSummarize your PR. If it involves visual changes include
a screenshot or\r\ngif.\r\nThis PR is completes the deletion flow for
Agentless CSPM.\r\n\r\n**Current Agentless Integraton deletion flow**:
\r\n\r\n1. Successfully delete integration policy\r\n2. Successfully
unenrolls agent from agent policy \r\n3. Successfully revokes enrollment
token\r\n4. Successfully deletes agentless deployment\r\n5. Successfully
deletes agent policy \r\n6. Successful notification shows when deleted
integration policy is\r\nsuccessful\r\n\r\n\r\n## Agentless Agent API
\r\n- Unenrolls agent and revokes token first to avoid 404 save
object\r\nclient error.\r\n- Update `is_managed` property to no longer
check for\r\n`agentPolicy.supports_agentless`. Agentless policies will
now be a\r\nregular policy.\r\n- Adds logging for DELETE agentless Agent
API endpoint \r\n- Adds agentless API deleteendpoint using try & catch.
No errors will be\r\nthrown. Agent status will become offline after
deployment deletion\r\n- If agentless deployment api fails, then we will
continue to delete the\r\nagent policy\r\n\r\n## UI
Changes\r\n\r\n**CSPM Integration** \r\n- Updates Agent Policy Error
toast notification title \r\n- Updates Agent Policy Error toast
notification message \r\n\r\n<img width=\"1612\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0003ce04-c53c-4e11-8363-ddc25ba342a7\">\r\n\r\n**Edit
Mode**\r\n- Adds back the Agentless selector in Edit
Integration\r\n\r\n<img width=\"1316\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0d2f20ce-32fc-421c-a15a-48ca6226b67f\">\r\n\r\n**Integration
Policies Page**\r\n- Removes automatic navigation to agent policies page
when deleting an\r\nintegration. In 8.17, we have a ticket to [hide the
agentless
agent\r\npolicies.](https://github.com/elastic/security-team/issues/9857)\r\n-
Enables delete button when deleting package policy with agents
for\r\nagentless policies\r\n- Disables Upgrade Action\r\n- Removes Add
Agent Action\r\n\r\n<img width=\"1717\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/1b7ac4c7-e8bc-41b8-836f-4d3c79a449dd\">\r\n\r\n<img
width=\"670\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0ab6a4c4-d7c6-43ea-9537-67e7fbcca2b0\">\r\n\r\n\r\n**Agent
Policies Page**\r\n- Updates messaging when deleting the agentless
policy from agent policy\r\npage. Warning users that deleting agentless
policy will also delete the\r\nintegration and unenroll agent.\r\n-
Enables delete button when deleting agentless policy with agents
for\r\nagentless policies\r\n- Removes Add agent menu action\r\n-
Removes Upgrade policy menu action\r\n- Removes Uninstall agent
action\r\n- Removes Copy policy menu action\r\n\r\n<img width=\"1595\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/2f195da2-4594-4f54-8f8d-7995e829a5ac\">\r\n<img
width=\"1365\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/4915642d-41e8-4e83-80f9-f334cb879506\">\r\n\r\n\r\n**Agent
Policy Settings**\r\nFor agent policy that are agentless, we disabled
the following
[fleet\r\nactions:](https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-types)\r\n-
Disables Agent monitoring\r\n- Disables Inactivity timeout\r\n- Disables
Fleet Server\r\n- Disables Output for integrations\r\n- Disables Output
for agent monitoring\r\n- Disables Agent binary download\r\n- Disables
Host name format\r\n- Disables Inactive agent unenrollment timeout \r\n-
Disables Advanced Settings - Limit CPU usage\r\n- Disables HTTP
monitoring endpoint\r\n- Disables Agent Logging\r\n\r\n<img
width=\"1569\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/2639be9f-ea10-4d42-b379-a13c4c2b08a1\">\r\n<img
width=\"1517\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/ae6f3e10-8c2b-42fe-8f27-7e8621d373c0\">\r\n\r\n**Agents
Page**\r\n\r\n- Disables Assign to Policy action\r\n- Disables Upgrade
Policy action\r\n- Removes Unassign agent action\r\n- Removes agentless
policies where user can add agent to agentless\r\npolicy\r\n\r\n<img
width=\"1710\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/61bf2d06-d337-45dd-8255-499db1e1ed42\">\r\n<img
width=\"1723\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/cc76787f-d6a2-44fb-9289-7f1f643620ec\">\r\n\r\n\r\n###
How to test in Serverless\r\n Use vault access and open the security
Project in
[build\r\n]([Buildkite\r\nBuild](https://buildkite.com/elastic/kibana-pull-request/builds/234438))\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"6742f770497a946de2d21aa39985243eec2b9f7b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/191557","number":191557,"mergeCommit":{"message":"[Cloud
Security] Agentless integration deletion flow (elastic#191557)\n\n##
Summary\r\n\r\nSummarize your PR. If it involves visual changes include
a screenshot or\r\ngif.\r\nThis PR is completes the deletion flow for
Agentless CSPM.\r\n\r\n**Current Agentless Integraton deletion flow**:
\r\n\r\n1. Successfully delete integration policy\r\n2. Successfully
unenrolls agent from agent policy \r\n3. Successfully revokes enrollment
token\r\n4. Successfully deletes agentless deployment\r\n5. Successfully
deletes agent policy \r\n6. Successful notification shows when deleted
integration policy is\r\nsuccessful\r\n\r\n\r\n## Agentless Agent API
\r\n- Unenrolls agent and revokes token first to avoid 404 save
object\r\nclient error.\r\n- Update `is_managed` property to no longer
check for\r\n`agentPolicy.supports_agentless`. Agentless policies will
now be a\r\nregular policy.\r\n- Adds logging for DELETE agentless Agent
API endpoint \r\n- Adds agentless API deleteendpoint using try & catch.
No errors will be\r\nthrown. Agent status will become offline after
deployment deletion\r\n- If agentless deployment api fails, then we will
continue to delete the\r\nagent policy\r\n\r\n## UI
Changes\r\n\r\n**CSPM Integration** \r\n- Updates Agent Policy Error
toast notification title \r\n- Updates Agent Policy Error toast
notification message \r\n\r\n<img width=\"1612\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0003ce04-c53c-4e11-8363-ddc25ba342a7\">\r\n\r\n**Edit
Mode**\r\n- Adds back the Agentless selector in Edit
Integration\r\n\r\n<img width=\"1316\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0d2f20ce-32fc-421c-a15a-48ca6226b67f\">\r\n\r\n**Integration
Policies Page**\r\n- Removes automatic navigation to agent policies page
when deleting an\r\nintegration. In 8.17, we have a ticket to [hide the
agentless
agent\r\npolicies.](https://github.com/elastic/security-team/issues/9857)\r\n-
Enables delete button when deleting package policy with agents
for\r\nagentless policies\r\n- Disables Upgrade Action\r\n- Removes Add
Agent Action\r\n\r\n<img width=\"1717\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/1b7ac4c7-e8bc-41b8-836f-4d3c79a449dd\">\r\n\r\n<img
width=\"670\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/0ab6a4c4-d7c6-43ea-9537-67e7fbcca2b0\">\r\n\r\n\r\n**Agent
Policies Page**\r\n- Updates messaging when deleting the agentless
policy from agent policy\r\npage. Warning users that deleting agentless
policy will also delete the\r\nintegration and unenroll agent.\r\n-
Enables delete button when deleting agentless policy with agents
for\r\nagentless policies\r\n- Removes Add agent menu action\r\n-
Removes Upgrade policy menu action\r\n- Removes Uninstall agent
action\r\n- Removes Copy policy menu action\r\n\r\n<img width=\"1595\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/2f195da2-4594-4f54-8f8d-7995e829a5ac\">\r\n<img
width=\"1365\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/4915642d-41e8-4e83-80f9-f334cb879506\">\r\n\r\n\r\n**Agent
Policy Settings**\r\nFor agent policy that are agentless, we disabled
the following
[fleet\r\nactions:](https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-types)\r\n-
Disables Agent monitoring\r\n- Disables Inactivity timeout\r\n- Disables
Fleet Server\r\n- Disables Output for integrations\r\n- Disables Output
for agent monitoring\r\n- Disables Agent binary download\r\n- Disables
Host name format\r\n- Disables Inactive agent unenrollment timeout \r\n-
Disables Advanced Settings - Limit CPU usage\r\n- Disables HTTP
monitoring endpoint\r\n- Disables Agent Logging\r\n\r\n<img
width=\"1569\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/2639be9f-ea10-4d42-b379-a13c4c2b08a1\">\r\n<img
width=\"1517\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/ae6f3e10-8c2b-42fe-8f27-7e8621d373c0\">\r\n\r\n**Agents
Page**\r\n\r\n- Disables Assign to Policy action\r\n- Disables Upgrade
Policy action\r\n- Removes Unassign agent action\r\n- Removes agentless
policies where user can add agent to agentless\r\npolicy\r\n\r\n<img
width=\"1710\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/61bf2d06-d337-45dd-8255-499db1e1ed42\">\r\n<img
width=\"1723\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/cc76787f-d6a2-44fb-9289-7f1f643620ec\">\r\n\r\n\r\n###
How to test in Serverless\r\n Use vault access and open the security
Project in
[build\r\n]([Buildkite\r\nBuild](https://buildkite.com/elastic/kibana-pull-request/builds/234438))\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"6742f770497a946de2d21aa39985243eec2b9f7b"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Lola <[email protected]>

x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.test.tsx

@@ -109,6 +109,39 @@ describe('AgentPolicyActionMenu', () => {
       const deleteButton = result.getByTestId('agentPolicyActionMenuDeleteButton');
       expect(deleteButton).toHaveAttribute('disabled');
     });
+
+    it('is disabled when agent policy support agentless  is true', () => {
+      const testRenderer = createFleetTestRendererMock();
+      const agentlessPolicy: AgentPolicy = {
+        ...baseAgentPolicy,
+        supports_agentless: true,
+        package_policies: [
+          {
+            id: 'test-package-policy',
+            is_managed: false,
+            created_at: new Date().toISOString(),
+            created_by: 'test',
+            enabled: true,
+            inputs: [],
+            name: 'test-package-policy',
+            namespace: 'default',
+            policy_id: 'test',
+            policy_ids: ['test'],
+            revision: 1,
+            updated_at: new Date().toISOString(),
+            updated_by: 'test',
+          },
+        ],
+      };
+
+      const result = testRenderer.render(<AgentPolicyActionMenu agentPolicy={agentlessPolicy} />);
+
+      const agentActionsButton = result.getByTestId('agentActionsBtn');
+      agentActionsButton.click();
+
+      const deleteButton = result.getByTestId('agentPolicyActionMenuDeleteButton');
+      expect(deleteButton).not.toHaveAttribute('disabled');
+    });
   });
 
   describe('add agent', () => {
@@ -176,6 +209,39 @@ describe('AgentPolicyActionMenu', () => {
       const addButton = result.getByTestId('agentPolicyActionMenuAddAgentButton');
       expect(addButton).toHaveAttribute('disabled');
     });
+
+    it('should remove add agent button when agent policy support agentless  is true', () => {
+      const testRenderer = createFleetTestRendererMock();
+      const agentlessPolicy: AgentPolicy = {
+        ...baseAgentPolicy,
+        supports_agentless: true,
+        package_policies: [
+          {
+            id: 'test-package-policy',
+            is_managed: false,
+            created_at: new Date().toISOString(),
+            created_by: 'test',
+            enabled: true,
+            inputs: [],
+            name: 'test-package-policy',
+            namespace: 'default',
+            policy_id: 'test',
+            policy_ids: ['test'],
+            revision: 1,
+            updated_at: new Date().toISOString(),
+            updated_by: 'test',
+          },
+        ],
+      };
+
+      const result = testRenderer.render(<AgentPolicyActionMenu agentPolicy={agentlessPolicy} />);
+
+      const agentActionsButton = result.getByTestId('agentActionsBtn');
+      agentActionsButton.click();
+
+      const addAgentActionButton = result.queryByTestId('agentPolicyActionMenuAddAgentButton');
+      expect(addAgentActionButton).toBeNull();
+    });
   });
 
   describe('add fleet server', () => {

x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/actions_menu.tsx

@@ -100,82 +100,106 @@ export const AgentPolicyActionMenu = memo<{
             </EuiContextMenuItem>
           );
 
-          const menuItems = agentPolicy?.is_managed
-            ? [viewPolicyItem]
-            : [
+          const deletePolicyItem = (
+            <AgentPolicyDeleteProvider
+              hasFleetServer={policyHasFleetServer(agentPolicy as AgentPolicy)}
+              key="deletePolicy"
+              agentPolicy={agentPolicy}
+              packagePolicies={agentPolicy.package_policies}
+            >
+              {(deleteAgentPolicyPrompt) => (
                 <EuiContextMenuItem
-                  icon="plusInCircle"
-                  disabled={
-                    (isFleetServerPolicy && !authz.fleet.addFleetServers) ||
-                    (!isFleetServerPolicy && !authz.fleet.addAgents)
+                  data-test-subj="agentPolicyActionMenuDeleteButton"
+                  disabled={!authz.fleet.allAgentPolicies || hasManagedPackagePolicy}
+                  toolTipContent={
+                    hasManagedPackagePolicy ? (
+                      <FormattedMessage
+                        id="xpack.fleet.policyForm.deletePolicyActionText.disabled"
+                        defaultMessage="Agent policy with managed package policies cannot be deleted."
+                        data-test-subj="agentPolicyActionMenuDeleteButtonDisabledTooltip"
+                      />
+                    ) : undefined
                   }
-                  data-test-subj="agentPolicyActionMenuAddAgentButton"
-                  onClick={() => {
-                    setIsContextMenuOpen(false);
-                    setIsEnrollmentFlyoutOpen(true);
-                  }}
-                  key="enrollAgents"
-                >
-                  {isFleetServerPolicy ? (
-                    <FormattedMessage
-                      id="xpack.fleet.agentPolicyActionMenu.addFleetServerActionText"
-                      defaultMessage="Add Fleet Server"
-                    />
-                  ) : (
-                    <FormattedMessage
-                      id="xpack.fleet.agentPolicyActionMenu.enrollAgentActionText"
-                      defaultMessage="Add agent"
-                    />
-                  )}
-                </EuiContextMenuItem>,
-                viewPolicyItem,
-                <EuiContextMenuItem
-                  disabled={!authz.integrations.writeIntegrationPolicies}
-                  icon="copy"
+                  icon="trash"
                   onClick={() => {
-                    setIsContextMenuOpen(false);
-                    copyAgentPolicyPrompt(agentPolicy, onCopySuccess);
+                    deleteAgentPolicyPrompt(agentPolicy.id);
                   }}
-                  key="copyPolicy"
                 >
                   <FormattedMessage
-                    id="xpack.fleet.agentPolicyActionMenu.copyPolicyActionText"
-                    defaultMessage="Duplicate policy"
+                    id="xpack.fleet.agentPolicyActionMenu.deletePolicyActionText"
+                    defaultMessage="Delete policy"
                   />
-                </EuiContextMenuItem>,
-                <AgentPolicyDeleteProvider
-                  hasFleetServer={policyHasFleetServer(agentPolicy as AgentPolicy)}
-                  key="deletePolicy"
-                  packagePolicies={agentPolicy.package_policies}
-                >
-                  {(deleteAgentPolicyPrompt) => (
-                    <EuiContextMenuItem
-                      data-test-subj="agentPolicyActionMenuDeleteButton"
-                      disabled={!authz.fleet.allAgentPolicies || hasManagedPackagePolicy}
-                      toolTipContent={
-                        hasManagedPackagePolicy ? (
-                          <FormattedMessage
-                            id="xpack.fleet.policyForm.deletePolicyActionText.disabled"
-                            defaultMessage="Agent policy with managed package policies cannot be deleted."
-                            data-test-subj="agentPolicyActionMenuDeleteButtonDisabledTooltip"
-                          />
-                        ) : undefined
-                      }
-                      icon="trash"
-                      onClick={() => {
-                        deleteAgentPolicyPrompt(agentPolicy.id);
-                      }}
-                    >
-                      <FormattedMessage
-                        id="xpack.fleet.agentPolicyActionMenu.deletePolicyActionText"
-                        defaultMessage="Delete policy"
-                      />
-                    </EuiContextMenuItem>
-                  )}
-                </AgentPolicyDeleteProvider>,
-              ];
+                </EuiContextMenuItem>
+              )}
+            </AgentPolicyDeleteProvider>
+          );
+
+          const copyPolicyItem = (
+            <EuiContextMenuItem
+              data-test-subj="agentPolicyActionMenuCopyButton"
+              disabled={!authz.integrations.writeIntegrationPolicies}
+              icon="copy"
+              onClick={() => {
+                setIsContextMenuOpen(false);
+                copyAgentPolicyPrompt(agentPolicy, onCopySuccess);
+              }}
+              key="copyPolicy"
+            >
+              <FormattedMessage
+                id="xpack.fleet.agentPolicyActionMenu.copyPolicyActionText"
+                defaultMessage="Duplicate policy"
+              />
+            </EuiContextMenuItem>
+          );
+
+          const managedMenuItems = [viewPolicyItem];
+          const agentBasedMenuItems = [
+            <EuiContextMenuItem
+              icon="plusInCircle"
+              disabled={
+                (isFleetServerPolicy && !authz.fleet.addFleetServers) ||
+                (!isFleetServerPolicy && !authz.fleet.addAgents)
+              }
+              data-test-subj="agentPolicyActionMenuAddAgentButton"
+              onClick={() => {
+                setIsContextMenuOpen(false);
+                setIsEnrollmentFlyoutOpen(true);
+              }}
+              key="enrollAgents"
+            >
+              {isFleetServerPolicy ? (
+                <FormattedMessage
+                  id="xpack.fleet.agentPolicyActionMenu.addFleetServerActionText"
+                  defaultMessage="Add Fleet Server"
+                />
+              ) : (
+                <FormattedMessage
+                  id="xpack.fleet.agentPolicyActionMenu.enrollAgentActionText"
+                  defaultMessage="Add agent"
+                />
+              )}
+            </EuiContextMenuItem>,
+            viewPolicyItem,
+            copyPolicyItem,
+            deletePolicyItem,
+          ];
+          const agentlessMenuItems = [viewPolicyItem, deletePolicyItem];
+
+          let menuItems;
+
+          if (agentPolicy?.is_managed) {
+            menuItems = managedMenuItems;
+          } else if (agentPolicy?.supports_agentless) {
+            menuItems = agentlessMenuItems;
+          } else {
+            menuItems = agentBasedMenuItems;
+          }
 
-          if (authz.fleet.allAgents && !agentPolicy?.is_managed) {
+          if (
+            authz.fleet.allAgents &&
+            !agentPolicy?.is_managed &&
+            !agentPolicy?.supports_agentless
+          ) {
             menuItems.push(
               <EuiContextMenuItem
                 icon="refresh"
@@ -193,7 +217,12 @@ export const AgentPolicyActionMenu = memo<{
             );
           }
 
-          if (authz.fleet.allAgents && agentTamperProtectionEnabled && !agentPolicy?.is_managed) {
+          if (
+            authz.fleet.allAgents &&
+            agentTamperProtectionEnabled &&
+            !agentPolicy?.is_managed &&
+            !agentPolicy?.supports_agentless
+          ) {
             menuItems.push(
               <EuiContextMenuItem
                 icon="minusInCircle"

x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx

@@ -121,6 +121,8 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
   const licenseService = useLicense();
   const [isUninstallCommandFlyoutOpen, setIsUninstallCommandFlyoutOpen] = useState(false);
   const policyHasElasticDefend = useMemo(() => hasElasticDefend(agentPolicy), [agentPolicy]);
+  const isManagedorAgentlessPolicy =
+    agentPolicy.is_managed === true || agentPolicy?.supports_agentless === true;
 
   const AgentTamperProtectionSectionContent = useMemo(
     () => (
@@ -196,7 +198,12 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
   );
 
   const AgentTamperProtectionSection = useMemo(() => {
-    if (agentTamperProtectionEnabled && licenseService.isPlatinum() && !agentPolicy.is_managed) {
+    if (
+      agentTamperProtectionEnabled &&
+      licenseService.isPlatinum() &&
+      !agentPolicy.is_managed &&
+      !agentPolicy.supports_agentless
+    ) {
       if (AgentTamperProtectionWrapper) {
         return (
           <Suspense fallback={null}>
@@ -214,6 +221,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
     agentPolicy.is_managed,
     AgentTamperProtectionWrapper,
     AgentTamperProtectionSectionContent,
+    agentPolicy.supports_agentless,
   ]);
 
   return (
@@ -405,7 +413,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
       >
         <EuiSpacer size="l" />
         <EuiCheckboxGroup
-          disabled={disabled || agentPolicy.is_managed === true}
+          disabled={disabled || isManagedorAgentlessPolicy}
           options={[
             {
               id: `${dataTypes.Logs}_${monitoringCheckboxIdSuffix}`,
@@ -541,7 +549,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
         >
           <EuiFieldNumber
             fullWidth
-            disabled={disabled || agentPolicy.is_managed === true}
+            disabled={disabled || isManagedorAgentlessPolicy}
             value={agentPolicy.inactivity_timeout || ''}
             min={0}
             onChange={(e) => {
@@ -582,7 +590,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           isInvalid={Boolean(touchedFields.fleet_server_host_id && validation.fleet_server_host_id)}
         >
           <EuiSuperSelect
-            disabled={disabled || agentPolicy.is_managed === true}
+            disabled={disabled || isManagedorAgentlessPolicy}
             valueOfSelected={agentPolicy.fleet_server_host_id || DEFAULT_SELECT_VALUE}
             fullWidth
             isLoading={isLoadingFleetServerHostsOption}
@@ -623,7 +631,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           isDisabled={disabled}
         >
           <EuiSuperSelect
-            disabled={disabled || agentPolicy.is_managed === true}
+            disabled={disabled || isManagedorAgentlessPolicy}
             valueOfSelected={agentPolicy.data_output_id || DEFAULT_SELECT_VALUE}
             fullWidth
             isLoading={isLoadingOptions}
@@ -664,7 +672,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           isDisabled={disabled}
         >
           <EuiSuperSelect
-            disabled={disabled || agentPolicy.is_managed === true}
+            disabled={disabled || isManagedorAgentlessPolicy}
             valueOfSelected={agentPolicy.monitoring_output_id || DEFAULT_SELECT_VALUE}
             fullWidth
             isLoading={isLoadingOptions}
@@ -706,7 +714,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           isDisabled={disabled}
         >
           <EuiSuperSelect
-            disabled={disabled}
+            disabled={disabled || agentPolicy?.supports_agentless === true}
             valueOfSelected={agentPolicy.download_source_id || DEFAULT_SELECT_VALUE}
             fullWidth
             isLoading={isLoadingDownloadSources}
@@ -739,7 +747,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
       >
         <EuiFormRow fullWidth isDisabled={disabled}>
           <EuiRadioGroup
-            disabled={disabled}
+            disabled={disabled || agentPolicy?.supports_agentless === true}
             options={[
               {
                 id: 'hostname',
@@ -834,7 +842,7 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
         >
           <EuiFieldNumber
             fullWidth
-            disabled={disabled || agentPolicy.is_managed === true}
+            disabled={disabled || isManagedorAgentlessPolicy}
             value={agentPolicy.unenroll_timeout || ''}
             min={0}
             onChange={(e) => {