Pike generate role missing IAM::DeletePolicyVersion #90
Description
Describe the bug
Pike generate IAM policy for role lacks the ability to purge the oldest version of a policy when it is updated. Max policy versions are 5 so as usage increases eventually the pike role needs to be able to use IAM:DeletePolicyVersion to purge the oldest version
To Reproduce
Steps to reproduce the behavior:
- Use pike to generate a role to manage some AWS config that includes a policy
- Iterate this policy version 5 times
- Next policy version will fail
- See error
Nov 5, 1:00:51 PM│ Error: deleting IAM Policy (arn:aws:iam::xxxxxxxxxx:policy/my-iam-policy-managed-by-pike) version (v8): operation error IAM: DeletePolicyVersion, https response error StatusCode: 403, RequestID: 31abb28b-3a9b-44a0-950b-dae44755dfdc, api error AccessDenied: User: arn:aws:sts::xxxxxxxxxx:assumed-role/tkn-pipeline-user/tf-run-hop is not authorized to perform: iam:DeletePolicyVersion on resource: policy arn:aws:iam::xxxxxxxxxx:policy/my-iam-policy-managed-by-pike because no identity-based policy allows the iam:DeletePolicyVersion action
Expected behavior
The IAM role created by Pike should have the ability to remove policy versions
Desktop (please complete the following information):
- Pike version 0.3.79
I am unsure if this would need to be added to the modify json or become part of the apply block?
It also lacks the ability to CreatePolicyVersion