Update IAM policy in Github workflow

bogsi17 · bogsi17 · commit 7cae5936293e · 2025-05-16T15:50:29.000+01:00
diff --git a/.github/workflows/deploy-infrastructure.yml b/.github/workflows/deploy-infrastructure.yml
@@ -60,6 +60,10 @@ jobs:
         with:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
+      - name: Update IAM policy
+        run: |
+          set -e
+          ./../scripts/update-github-actions-policy.sh ${{ env.aws_role }} ../resources/github_actions_policy.json
       - name: Set image tag
         run: |
           IMAGE_TAG="${{ inputs.image_tag || github.sha }}"
diff --git a/terraform/scripts/update-github-actions-policy.sh b/terraform/scripts/update-github-actions-policy.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <policy-arn> <policy-file>"
+    exit 1
+fi
+
+POLICY_ARN=$1
+POLICY_FILE=$2
+
+# Get existing policy versions
+EXISTING_VERSIONS=$(aws iam list-policy-versions --policy-arn "$POLICY_ARN" --query 'Versions[].VersionId' --output text)
+
+# If there are 5 or more versions, delete the oldest one
+if [ "$(echo "$EXISTING_VERSIONS" | wc -w)" -ge 5 ]; then
+    OLDEST_VERSION=$(echo "$EXISTING_VERSIONS" | awk '{print $NF}')
+    echo "Deleting oldest version: $OLDEST_VERSION"
+    aws iam delete-policy-version --policy-arn "$POLICY_ARN" --version-id "$OLDEST_VERSION"
+else
+    echo "No need to delete any policy versions."
+fi
+
+# Create a new version of the policy
+aws iam create-policy-version --policy-arn "$POLICY_ARN" --policy-document "file://$POLICY_FILE" --set-as-default
