From 87bf825f0c86501acdafe34e42ea145d084c3ed1 Mon Sep 17 00:00:00 2001
From: Shanawaze <shanawaze.shaik@revacomm.com>
Date: Fri, 23 Feb 2024 09:53:04 -0600
Subject: [PATCH 1/5] adding changes for policy creation with resources

---
 policies.tf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policies.tf b/policies.tf
index 7891b1c..a405cba 100644
--- a/policies.tf
+++ b/policies.tf
@@ -154,10 +154,15 @@ data "aws_iam_policy_document" "secrets-manager" {
       "secretsmanager:GetSecretValue",
       "secretsmanager:DescribeSecret"
     ]
-    resources = var.secret_arns
+    resources = data.aws_secretsmanager_secret.private-registry[0].arn
   }
 }
 
+data "aws_secretsmanager_secret" "private-registry" {
+  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  name = "private-registry"
+}
+
 resource "aws_iam_policy" "secrets-manager" {
   count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
 

From 6198b92dd6df7cdfeb9051adfcbee881d3c54b7c Mon Sep 17 00:00:00 2001
From: Shanawaze <shanawaze.shaik@revacomm.com>
Date: Fri, 23 Feb 2024 09:58:58 -0600
Subject: [PATCH 2/5] adding policy changes for including secret manager
 resources

---
 policies.tf | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/policies.tf b/policies.tf
index a405cba..7891b1c 100644
--- a/policies.tf
+++ b/policies.tf
@@ -154,15 +154,10 @@ data "aws_iam_policy_document" "secrets-manager" {
       "secretsmanager:GetSecretValue",
       "secretsmanager:DescribeSecret"
     ]
-    resources = data.aws_secretsmanager_secret.private-registry[0].arn
+    resources = var.secret_arns
   }
 }
 
-data "aws_secretsmanager_secret" "private-registry" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
-  name = "private-registry"
-}
-
 resource "aws_iam_policy" "secrets-manager" {
   count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
 

From c9d26b069cf4a2814dbfa3536792ae41d8b30164 Mon Sep 17 00:00:00 2001
From: Shanawaze <shanawaze.shaik@revacomm.com>
Date: Fri, 23 Feb 2024 10:01:43 -0600
Subject: [PATCH 3/5] policy changes

---
 policies.tf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policies.tf b/policies.tf
index 7891b1c..2e9cda0 100644
--- a/policies.tf
+++ b/policies.tf
@@ -154,10 +154,16 @@ data "aws_iam_policy_document" "secrets-manager" {
       "secretsmanager:GetSecretValue",
       "secretsmanager:DescribeSecret"
     ]
-    resources = var.secret_arns
+    resources = data.aws_secretsmanager_secret.private-registry[0].arn
   }
 }
 
+data "aws_secretsmanager_secret" "private-registry" {
+  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  name = "private-registry"
+}
+
+
 resource "aws_iam_policy" "secrets-manager" {
   count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
 

From b971415b95d38ccc336fd6c2fdaea03cea615a49 Mon Sep 17 00:00:00 2001
From: Shanawaze <shanawaze.shaik@revacomm.com>
Date: Wed, 28 Feb 2024 13:59:10 -0600
Subject: [PATCH 4/5] adding back variable changes for eso secrets arn

---
 policies.tf  | 18 ++++++++----------
 variables.tf |  7 ++++---
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/policies.tf b/policies.tf
index 2e9cda0..42c2ef4 100644
--- a/policies.tf
+++ b/policies.tf
@@ -142,11 +142,15 @@ resource "aws_iam_role_policy_attachment" "dynamodb" {
   policy_arn = aws_iam_policy.dynamodb[0].arn
 }
 
+locals {
+  create_secrets_manager_policy = var.create_role && var.attach_secretsmanager_policy && length(var.asm_secret_arns) > 0
+}
+
 ################################################################################
 # AWS Secrets Manager Policy
 ################################################################################
 data "aws_iam_policy_document" "secrets-manager" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  count = local.create_secrets_manager_policy ? 1 : 0
 
   statement {
     sid = "SecretsManagerRead"
@@ -154,18 +158,12 @@ data "aws_iam_policy_document" "secrets-manager" {
       "secretsmanager:GetSecretValue",
       "secretsmanager:DescribeSecret"
     ]
-    resources = data.aws_secretsmanager_secret.private-registry[0].arn
+    resources = var.asm_secret_arns
   }
 }
 
-data "aws_secretsmanager_secret" "private-registry" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
-  name = "private-registry"
-}
-
-
 resource "aws_iam_policy" "secrets-manager" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  count = local.create_secrets_manager_policy ? 1 : 0
 
   name_prefix = "${var.policy_name_prefix}${var.app_name}-"
   path        = var.role_path
@@ -176,7 +174,7 @@ resource "aws_iam_policy" "secrets-manager" {
 }
 
 resource "aws_iam_role_policy_attachment" "secrets-manager" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  count = local.create_secrets_manager_policy ? 1 : 0
 
   role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.secrets-manager[0].arn
diff --git a/variables.tf b/variables.tf
index b1bffd2..b2739c4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -130,15 +130,16 @@ variable "attach_secretsmanager_policy" {
   default     = false
 }
 
-variable "secret_arns" {
-  description = "ARNs of secrets in secrets manager to add to policy"
+variable "asm_secret_arns" {
+  description = "ARNs of secrets in AWS secrets manager (ASM) to add to policy"
   type        = list(string)
   default     = []
   validation {
-    condition     = !anytrue([for arn in var.secret_arns : (length(regexall("\\*|\\?", arn)) == 0 ? false : true)])
+    condition     = !anytrue([for arn in var.asm_secret_arns : (length(regexall("\\*|\\?", arn)) == 0 ? false : true)])
     error_message = "No '*' or '?' allowed in secret_arns variable"
   }
 }
+
 variable "attach_insights_policy" {
   description = "Determines whether to attach the CloudWatch Insights policy to the role"
   type        = bool

From 682caaf982ebe08a4a5644940d1c396e8d7f0988 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci-lite[bot]"
 <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>
Date: Thu, 29 Feb 2024 16:43:00 +0000
Subject: [PATCH 5/5] [pre-commit.ci lite] apply automatic fixes

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e6580d0..3e36715 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_app_name"></a> [app\_name](#input\_app\_name) | App name (ie. Flux, Velero, etc.) | `string` | `""` | no |
+| <a name="input_asm_secret_arns"></a> [asm\_secret\_arns](#input\_asm\_secret\_arns) | ARNs of secrets in AWS secrets manager (ASM) to add to policy | `list(string)` | `[]` | no |
 | <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
 | <a name="input_attach_cloudwatch_policy"></a> [attach\_cloudwatch\_policy](#input\_attach\_cloudwatch\_policy) | Determines whether to attach the cloudwatch permissions to the role | `bool` | `false` | no |
 | <a name="input_attach_dynamodb_policy"></a> [attach\_dynamodb\_policy](#input\_attach\_dynamodb\_policy) | Determines whether to attach the dynamodb policy to the role | `bool` | `false` | no |
@@ -78,7 +79,6 @@ No modules.
 | <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `"arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy"` | no |
 | <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_s3_bucket_arns"></a> [s3\_bucket\_arns](#input\_s3\_bucket\_arns) | List of S3 Bucket ARNs to allow access to | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| <a name="input_secret_arns"></a> [secret\_arns](#input\_secret\_arns) | ARNs of secrets in secrets manager to add to policy | `list(string)` | `[]` | no |
 | <a name="input_sops_arn"></a> [sops\_arn](#input\_sops\_arn) | SOPS ARN to allow access to | `string` | `""` | no |
 | <a name="input_sqs_read_write_arns"></a> [sqs\_read\_write\_arns](#input\_sqs\_read\_write\_arns) | List of SQS ARNs to allow read/write access to | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |