Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit d610954

Browse files
fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions (#599)
1 parent 538a948 commit d610954

File tree

1 file changed

+13
-8
lines changed

1 file changed

+13
-8
lines changed

‎modules/iam-role-for-service-accounts/policies.tf

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -483,14 +483,19 @@ data "aws_iam_policy_document" "external_secrets" {
483483
resources = ["*"]
484484
}
485485

486-
statement {
487-
actions = [
488-
"secretsmanager:GetResourcePolicy",
489-
"secretsmanager:GetSecretValue",
490-
"secretsmanager:DescribeSecret",
491-
"secretsmanager:ListSecretVersionIds"
492-
]
493-
resources = var.external_secrets_secrets_manager_arns
486+
dynamic "statement" {
487+
for_each = length(var.external_secrets_secrets_manager_arns) > 0 ? [1] : []
488+
489+
content {
490+
actions = [
491+
"secretsmanager:GetResourcePolicy",
492+
"secretsmanager:GetSecretValue",
493+
"secretsmanager:DescribeSecret",
494+
"secretsmanager:ListSecretVersionIds"
495+
]
496+
497+
resources = var.external_secrets_secrets_manager_arns
498+
}
494499
}
495500

496501
dynamic "statement" {

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /