Update IAM policy in Github workflow

Author: bogsi17

.github/workflows/deploy-infrastructure.yml

@@ -39,6 +39,8 @@ env:
   aws_role: ${{ inputs.environment == 'production'
     && 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
     || 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
+  aws_account_id: ${{ inputs.environment == 'production'
+    && '820242920762' || '393416225559' }}
 
 defaults:
   run:
@@ -60,6 +62,10 @@ jobs:
         with:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
+      - name: Update IAM policy
+        run: |
+          set -e
+          ./../scripts/update-github-actions-policy.sh arn:aws:iam::${{ env.aws_role }}:policy/DeployMavisResources ../resources/github_actions_policy.json
       - name: Set image tag
         run: |
           IMAGE_TAG="${{ inputs.image_tag || github.sha }}"

terraform/scripts/update-github-actions-policy.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <policy-arn> <policy-file>"
+    exit 1
+fi
+
+POLICY_ARN=$1
+POLICY_FILE=$2
+
+# Get existing policy versions
+EXISTING_VERSIONS=$(aws iam list-policy-versions --policy-arn "$POLICY_ARN" --query 'Versions[].VersionId' --output text)
+
+# If there are 5 or more versions, delete the oldest one
+if [ "$(echo "$EXISTING_VERSIONS" | wc -w)" -ge 5 ]; then
+    OLDEST_VERSION=$(echo "$EXISTING_VERSIONS" | awk '{print $NF}')
+    echo "Deleting oldest version: $OLDEST_VERSION"
+    aws iam delete-policy-version --policy-arn "$POLICY_ARN" --version-id "$OLDEST_VERSION"
+else
+    echo "No need to delete any policy versions."
+fi
+
+# Create a new version of the policy
+aws iam create-policy-version --policy-arn "$POLICY_ARN" --policy-document "file://$POLICY_FILE" --set-as-default