Merge pull request #21 from ministryofjustice/add-secrets-manager

Add secretsmanager permissions to sso access
ministryofjustice · May 3, 2023 · 8e5f568 · 8e5f568
2 parents feffd88 + c43284c
commit 8e5f568
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ No modules.
 | [aws_iam_policy_document.pi_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.rds_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.secretsmanager_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sqs_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/aws.tf b/aws.tf
@@ -53,6 +53,7 @@ data "aws_iam_policy_document" "combined" {
     data.aws_iam_policy_document.sns_for_github.json,
     data.aws_iam_policy_document.sqs_for_github.json,
     data.aws_iam_policy_document.vpc_for_github.json,
+    data.aws_iam_policy_document.secretsmanager_for_github.json,
   ]
 }
 

diff --git a/secretsmanager.tf b/secretsmanager.tf
@@ -0,0 +1,28 @@
+data "aws_iam_policy_document" "secretsmanager_for_github" {
+  statement {
+    sid    = "AllowSecretsManagerListDescribe"
+    effect = "Allow"
+    actions = [
+      "secretsmanager:ListSecrets",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowSecretsManagerGetPutValue"
+    effect = "Allow"
+    actions = [
+      "secretsmanager:DescribeSecret",
+      "secretmanager:ListSecretVersionIds",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:PutSecretValue",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalTag/GithubTeam"
+      values   = ["*:$${aws:ResourceTag/GithubTeam}:*"]
+    }
+  }
+}