fix: Expand Permissions for external-secrets IRSA Policy towards AWS Secrets Manager (#416)

Co-authored-by: Bryant Biggs <[email protected]>

Author: aschaber1

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -501,21 +501,34 @@ data "aws_iam_policy_document" "external_secrets" {
   }
 
   statement {
-    actions = [
-      "kms:Decrypt"
-    ]
+    actions   = ["kms:Decrypt"]
     resources = var.external_secrets_kms_key_arns
   }
 
   dynamic "statement" {
     for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []
     content {
       actions = [
-        "secretsmanager:CreateSecret"
+        "secretsmanager:CreateSecret",
+        "secretsmanager:PutSecretValue",
+        "secretsmanager:TagResource",
       ]
       resources = var.external_secrets_secrets_manager_arns
     }
   }
+
+  dynamic "statement" {
+    for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []
+    content {
+      actions   = ["secretsmanager:DeleteSecret"]
+      resources = var.external_secrets_secrets_manager_arns
+      condition {
+        test     = "StringEquals"
+        variable = "secretsmanager:ResourceTag/managed-by"
+        values   = ["external-secrets"]
+      }
+    }
+  }
 }
 
 resource "aws_iam_policy" "external_secrets" {