resource/aws_iot_policy: Delete oldest policy version when max number is reached

jeandek · jeandek · commit 784897a68cd9 · 2019-07-30T14:55:14.000+02:00
diff --git a/aws/resource_aws_iot_policy.go b/aws/resource_aws_iot_policy.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"fmt"
 	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -75,6 +76,10 @@ func resourceAwsIotPolicyRead(d *schema.ResourceData, meta interface{}) error {
 func resourceAwsIotPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).iotconn
 
+	if err := iotPolicyPruneVersions(d.Id(), conn); err != nil {
+		return err
+	}
+
 	if d.HasChange("policy") {
 		_, err := conn.CreatePolicyVersion(&iot.CreatePolicyVersionInput{
 			PolicyName:     aws.String(d.Id()),
@@ -129,3 +134,55 @@ func resourceAwsIotPolicyDelete(d *schema.ResourceData, meta interface{}) error
 
 	return nil
 }
+
+// iotPolicyPruneVersions deletes the oldest non-default version if the maximum
+// number of versions (5) has been reached.
+func iotPolicyPruneVersions(name string, iotconn *iot.IoT) error {
+	versions, err := iotPolicyListVersions(name, iotconn)
+	if err != nil {
+		return err
+	}
+	if len(versions) < 5 {
+		return nil
+	}
+
+	var oldestVersion *iot.PolicyVersion
+
+	for _, version := range versions {
+		if *version.IsDefaultVersion {
+			continue
+		}
+		if oldestVersion == nil ||
+			version.CreateDate.Before(*oldestVersion.CreateDate) {
+			oldestVersion = version
+		}
+	}
+
+	err = iotPolicyDeleteVersion(name, *oldestVersion.VersionId, iotconn)
+	return err
+}
+
+func iotPolicyListVersions(name string, iotconn *iot.IoT) ([]*iot.PolicyVersion, error) {
+	request := &iot.ListPolicyVersionsInput{
+		PolicyName: aws.String(name),
+	}
+
+	response, err := iotconn.ListPolicyVersions(request)
+	if err != nil {
+		return nil, fmt.Errorf("Error listing versions for IoT policy %s: %s", name, err)
+	}
+	return response.PolicyVersions, nil
+}
+
+func iotPolicyDeleteVersion(name, versionID string, iotconn *iot.IoT) error {
+	request := &iot.DeletePolicyVersionInput{
+		PolicyName:      aws.String(name),
+		PolicyVersionId: aws.String(versionID),
+	}
+
+	_, err := iotconn.DeletePolicyVersion(request)
+	if err != nil {
+		return fmt.Errorf("Error deleting version %s from IoT policy %s: %s", versionID, name, err)
+	}
+	return nil
+}
