Skip to content
This repository has been archived by the owner on Dec 14, 2023. It is now read-only.

Commit

Permalink
Merge pull request #18 from VoodooTeam/fix(policy)--delete-old-policy…
Browse files Browse the repository at this point in the history
…-version-before-updating-if-needed

fix(policy): delete old policy version before updating if needed
  • Loading branch information
thmslx authored Aug 9, 2021
2 parents 01b54bf + b8e5ac5 commit 0575b67
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 3 deletions.
37 changes: 37 additions & 0 deletions aws/aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ func (m RealAwsManager) UpdatePolicy(policy api.Policy) error {
return err
}

if err := m.deleteOldestPolicyVersionIfNeeded(policy.Spec.ARN); err != nil {
return err
}

_, err = m.Client.CreatePolicyVersion(&iam.CreatePolicyVersionInput{PolicyArn: &policy.Spec.ARN, PolicyDocument: &policyDoc, SetAsDefault: aws.Bool(true)})
if err != nil {
return err
Expand All @@ -90,6 +94,39 @@ func (m RealAwsManager) UpdatePolicy(policy api.Policy) error {
return nil
}

// deleteOldestPolicyVersionIfNeeded deletes the oldest policy version of a manage policy
// if it is full, ie if it has already 5 versions
func (m RealAwsManager) deleteOldestPolicyVersionIfNeeded(arn string) error {
res, err := m.Client.ListPolicyVersions(&iam.ListPolicyVersionsInput{PolicyArn: &arn})
if err != nil {
return err
}

// no need to delete a version if we have less than 5
if len(res.Versions) < 5 {
return nil
}

// looking for the oldest non-default version
var oldest *iam.PolicyVersion

for _, pv := range res.Versions {
if *pv.IsDefaultVersion {
continue
}
if oldest == nil || pv.CreateDate.Before(*oldest.CreateDate) {
oldest = pv
}
}

if oldest == nil {
return nil
}

_, err = m.Client.DeletePolicyVersion(&iam.DeletePolicyVersionInput{PolicyArn: &arn, VersionId: oldest.VersionId})
return err
}

func (m RealAwsManager) CreatePolicy(policy api.Policy) error {
_ = m.log.WithName("aws").WithName("policy")

Expand Down
16 changes: 13 additions & 3 deletions aws/aws_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,11 @@ import (
. "github.com/onsi/gomega"
)

var validPolicy = api.NewPolicy("name", "testns", []api.StatementSpec{
{Resource: "arn:aws:s3:::my_corporate_bucket/exampleobject.png", Action: []string{"an:action"}},
})
var (
validPolicy = api.NewPolicy("name", "testns", []api.StatementSpec{
{Resource: "arn:aws:s3:::my_corporate_bucket/exampleobject.png", Action: []string{"an:action"}},
})
)

var _ = Describe("policy", func() {
It("given a valid policy", func() {
Expand All @@ -26,6 +28,14 @@ var _ = Describe("policy", func() {
Expect(err).NotTo(HaveOccurred())
Expect(policyARN).NotTo(BeEmpty())

By("creating new policy versions 5 times")
validPolicy.Spec.ARN = policyARN

for i := 0; i < 5; i++ {
err = awsmngr.UpdatePolicy(*validPolicy)
Expect(err).ToNot(HaveOccurred())
}

By("deleting it")
Expect(policyARN).NotTo(BeEmpty())
err = awsmngr.DeletePolicy(policyARN)
Expand Down

0 comments on commit 0575b67

Please sign in to comment.