allow access to airflow env stg or prod in all containers (#1997)

Tian-2017 · web-flow · commit 579918aca1e0 · 2024-11-26T10:58:03.000Z
* allow access to airflow env stg or prod in all containers

* add the arn in prod
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -433,7 +433,9 @@ data "aws_iam_policy_document" "secrets_manager_read_only" {
       aws_secretsmanager_secret.redshift_cluster_credentials.arn,
       module.google_service_account.credentials_secret.arn,
       "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:${var.identifier_prefix}/${local.department_identifier}/*",
-      "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:${var.short_identifier_prefix}/${local.department_identifier}*"
+      "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:${var.short_identifier_prefix}/${local.department_identifier}*",
+      "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:airflow/variables/env-fxe5CD",
+      "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:airflow/variables/env-jeCYYl",
     ]
   }
 

Original file line number	Diff line number	Diff line change
`@@ -433,7 +433,9 @@ data "aws_iam_policy_document" "secrets_manager_read_only" {`
`433`	`433`	`aws_secretsmanager_secret.redshift_cluster_credentials.arn,`
`434`	`434`	`module.google_service_account.credentials_secret.arn,`
`435`	`435`	`"arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:${var.identifier_prefix}/${local.department_identifier}/*",`
`436`		`- "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:${var.short_identifier_prefix}/${local.department_identifier}*"`
	`436`	`+ "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:${var.short_identifier_prefix}/${local.department_identifier}*",`
	`437`	`+ "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:airflow/variables/env-fxe5CD",`
	`438`	`+ "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:airflow/variables/env-jeCYYl",`
`437`	`439`	`]`
`438`	`440`	`}`
`439`	`441`