Merge pull request #18 from VoodooTeam/fix(policy)--delete-old-policy-version-before-updating-if-needed

fix(policy): delete old policy version before updating if needed

Author: thmslx

aws/aws.go

@@ -82,6 +82,10 @@ func (m RealAwsManager) UpdatePolicy(policy api.Policy) error {
 		return err
 	}
 
+	if err := m.deleteOldestPolicyVersionIfNeeded(policy.Spec.ARN); err != nil {
+		return err
+	}
+
 	_, err = m.Client.CreatePolicyVersion(&iam.CreatePolicyVersionInput{PolicyArn: &policy.Spec.ARN, PolicyDocument: &policyDoc, SetAsDefault: aws.Bool(true)})
 	if err != nil {
 		return err
@@ -90,6 +94,39 @@ func (m RealAwsManager) UpdatePolicy(policy api.Policy) error {
 	return nil
 }
 
+// deleteOldestPolicyVersionIfNeeded deletes the oldest policy version of a manage policy
+// if it is full, ie if it has already 5 versions
+func (m RealAwsManager) deleteOldestPolicyVersionIfNeeded(arn string) error {
+	res, err := m.Client.ListPolicyVersions(&iam.ListPolicyVersionsInput{PolicyArn: &arn})
+	if err != nil {
+		return err
+	}
+
+	// no need to delete a version if we have less than 5
+	if len(res.Versions) < 5 {
+		return nil
+	}
+
+	// looking for the oldest non-default version
+	var oldest *iam.PolicyVersion
+
+	for _, pv := range res.Versions {
+		if *pv.IsDefaultVersion {
+			continue
+		}
+		if oldest == nil || pv.CreateDate.Before(*oldest.CreateDate) {
+			oldest = pv
+		}
+	}
+
+	if oldest == nil {
+		return nil
+	}
+
+	_, err = m.Client.DeletePolicyVersion(&iam.DeletePolicyVersionInput{PolicyArn: &arn, VersionId: oldest.VersionId})
+	return err
+}
+
 func (m RealAwsManager) CreatePolicy(policy api.Policy) error {
 	_ = m.log.WithName("aws").WithName("policy")
 

aws/aws_test.go

@@ -6,9 +6,11 @@ import (
 	. "github.com/onsi/gomega"
 )
 
-var validPolicy = api.NewPolicy("name", "testns", []api.StatementSpec{
-	{Resource: "arn:aws:s3:::my_corporate_bucket/exampleobject.png", Action: []string{"an:action"}},
-})
+var (
+	validPolicy = api.NewPolicy("name", "testns", []api.StatementSpec{
+		{Resource: "arn:aws:s3:::my_corporate_bucket/exampleobject.png", Action: []string{"an:action"}},
+	})
+)
 
 var _ = Describe("policy", func() {
 	It("given a valid policy", func() {
@@ -26,6 +28,14 @@ var _ = Describe("policy", func() {
 		Expect(err).NotTo(HaveOccurred())
 		Expect(policyARN).NotTo(BeEmpty())
 
+		By("creating new policy versions 5 times")
+		validPolicy.Spec.ARN = policyARN
+
+		for i := 0; i < 5; i++ {
+			err = awsmngr.UpdatePolicy(*validPolicy)
+			Expect(err).ToNot(HaveOccurred())
+		}
+
 		By("deleting it")
 		Expect(policyARN).NotTo(BeEmpty())
 		err = awsmngr.DeletePolicy(policyARN)