fix: Fix IAM policy for External Secrets (#28)

rastut · web-flow · commit 9bc80322946b · 2025-01-09T09:28:32.000-06:00
Signed-off-by: Carlos Lopez &lt;carloslm@nuclia.com&gt;
diff --git a/external_secrets.tf b/external_secrets.tf
@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "external_secrets" {
     for_each = length(var.external_secrets_secrets_manager_arns) > 0 ? [1] : []
 
     content {
-      actions   = ["secretsmanager:ListSecrets"]
+      actions   = ["secretsmanager:ListSecrets", "secretsmanager:BatchGetSecretValue"]
       resources = ["*"]
     }
   }
@@ -49,8 +49,7 @@ data "aws_iam_policy_document" "external_secrets" {
         "secretsmanager:GetResourcePolicy",
         "secretsmanager:GetSecretValue",
         "secretsmanager:DescribeSecret",
-        "secretsmanager:ListSecretVersionIds",
-        "secretsmanager:BatchGetSecretValue",
+        "secretsmanager:ListSecretVersionIds"
       ]
 
       resources = var.external_secrets_secrets_manager_arns

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "external_secrets" {`
`36`	`36`	`for_each = length(var.external_secrets_secrets_manager_arns) > 0 ? [1] : []`
`37`	`37`
`38`	`38`	`content {`
`39`		`- actions = ["secretsmanager:ListSecrets"]`
	`39`	`+ actions = ["secretsmanager:ListSecrets", "secretsmanager:BatchGetSecretValue"]`
`40`	`40`	`resources = ["*"]`
`41`	`41`	`}`
`42`	`42`	`}`
`@@ -49,8 +49,7 @@ data "aws_iam_policy_document" "external_secrets" {`
`49`	`49`	`"secretsmanager:GetResourcePolicy",`
`50`	`50`	`"secretsmanager:GetSecretValue",`
`51`	`51`	`"secretsmanager:DescribeSecret",`
`52`		`- "secretsmanager:ListSecretVersionIds",`
`53`		`- "secretsmanager:BatchGetSecretValue",`
	`52`	`+ "secretsmanager:ListSecretVersionIds"`
`54`	`53`	`]`
`55`	`54`
`56`	`55`	`resources = var.external_secrets_secrets_manager_arns`