Skip to content

fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions #599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 18, 2025
Merged

fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions #599

merged 1 commit into from
Aug 18, 2025

Conversation

ohookins
Copy link
Contributor

Description

Applies the same dynamic trick to the secretsmanager part of the external secrets role policy, so that if we don't grant access to any secrets we don't end up with an apply error.

Motivation and Context

Without supplying any values for var.external_secrets_secrets_manager_arns we end up with a policy statement like this:

                  + {
                      + Action = [
                          + "secretsmanager:ListSecretVersionIds",
                          + "secretsmanager:GetSecretValue",
                          + "secretsmanager:GetResourcePolicy",
                          + "secretsmanager:DescribeSecret",
                        ]
                      + Effect = "Allow"
                    },

This is invalid since it lacks resources and cannot be applied.

Breaking Changes

No breaking change.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

It's such a trivial change I don't believe these are necessary but can circle back to these if you like.

@ohookins ohookins changed the title Make secretsmanager policy statement dynamic. fix: Make secretsmanager policy statement dynamic. Aug 18, 2025
@bryantbiggs bryantbiggs changed the title fix: Make secretsmanager policy statement dynamic. fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions Aug 18, 2025
@bryantbiggs bryantbiggs merged commit d610954 into terraform-aws-modules:master Aug 18, 2025
21 of 22 checks passed
antonbabenko pushed a commit that referenced this pull request Aug 18, 2025
@semantic-release-bot
chore(release): version 6.1.1 [skip ci]
3c66adc 
## [6.1.1](v6.1.0...v6.1.1) (2025-08-18)

### Bug Fixes

* Remove any `secretsmanager:*` permissions if no secret ARNs are provided to IRSA external-secrets permissions ([#599](#599)) ([d610954](d610954))
@antonbabenko
Copy link
Member

This PR is included in version 6.1.1 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ohookins @antonbabenko @bryantbiggs