eli-540 attach roles to lambda and external role

Karthikeyannhs · Karthikeyannhs · commit a759b04276f3 · 2025-12-08T17:50:48.000Z
diff --git a/infrastructure/modules/secrets_manager/outputs.tf b/infrastructure/modules/secrets_manager/outputs.tf
@@ -0,0 +1,3 @@
+output "aws_hashing_secret_arn" {
+  value = aws_secretsmanager_secret.hashing_secret.arn
+}
diff --git a/infrastructure/modules/secrets_manager/variables.tf b/infrastructure/modules/secrets_manager/variables.tf
@@ -1,6 +1,6 @@
 variable "external_write_access_role_arn" {
-  description = "Arn of the external write access role to provide secret manager access"
-  type        = string
+  description = "List of ARNs for external write access roles"
+  type = list(string)
 }
 
 variable "eligibility_lambda_role_arn" {
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -530,3 +530,34 @@ resource "aws_iam_role_policy" "external_audit_kms_access_policy" {
   role   = aws_iam_role.write_access_role[count.index].id
   policy = data.aws_iam_policy_document.external_role_s3_audit_kms_access_policy.json
 }
+
+# IAM policy document for Lambda secret access
+data "aws_iam_policy_document" "secrets_access_policy" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+    ]
+
+    resources = [
+      module.secrets_manager.aws_hashing_secret_arn
+    ]
+  }
+}
+
+# Attach secret read policy to Lambda role
+resource "aws_iam_role_policy" "lambda_secret_read_policy_attachment" {
+  name   = "LambdaSecretReadAccess"
+  role   = aws_iam_role.eligibility_lambda_role.id
+  policy = data.aws_iam_policy_document.secrets_access_policy.json
+}
+
+# Attach secret read policy to external write role
+resource "aws_iam_role_policy" "external_secret_read_policy_attachment" {
+  count = length(aws_iam_role.write_access_role)
+  name   = "ExternalSecretReadAccess"
+  role   = aws_iam_role.write_access_role[count.index].id
+  policy = data.aws_iam_policy_document.secrets_access_policy.json
+}
diff --git a/infrastructure/stacks/api-layer/secrets_manager.tf b/infrastructure/stacks/api-layer/secrets_manager.tf
@@ -1,9 +1,8 @@
 module "secrets_manager" {
   source = "../../modules/secrets_manager"
-  count = length(aws_iam_role.write_access_role)
-  external_write_access_role_arn = aws_iam_role.write_access_role[count.index].arn
-  environment  = var.environment
-  stack_name   = local.stack_name
-  workspace    = terraform.workspace
-  eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn
+  external_write_access_role_arn = aws_iam_role.write_access_role[*].arn
+  environment                    = var.environment
+  stack_name                     = local.stack_name
+  workspace                      = terraform.workspace
+  eligibility_lambda_role_arn    = aws_iam_role.eligibility_lambda_role.arn
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+output "aws_hashing_secret_arn" {`
	`2`	`+ value = aws_secretsmanager_secret.hashing_secret.arn`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`variable "external_write_access_role_arn" {`
`2`		`- description = "Arn of the external write access role to provide secret manager access"`
`3`		`- type = string`
	`2`	`+ description = "List of ARNs for external write access roles"`
	`3`	`+ type = list(string)`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`variable "eligibility_lambda_role_arn" {`