CMS-Enterprise · sshaikRC · Mar 5, 2024 · Feb 23, 2024 · Feb 23, 2024 · Feb 23, 2024
diff --git a/README.md b/README.md
@@ -57,6 +57,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_app_name"></a> [app\_name](#input\_app\_name) | App name (ie. Flux, Velero, etc.) | `string` | `""` | no |
+| <a name="input_asm_secret_arns"></a> [asm\_secret\_arns](#input\_asm\_secret\_arns) | ARNs of secrets in AWS secrets manager (ASM) to add to policy | `list(string)` | `[]` | no |
 | <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
 | <a name="input_attach_cloudwatch_policy"></a> [attach\_cloudwatch\_policy](#input\_attach\_cloudwatch\_policy) | Determines whether to attach the cloudwatch permissions to the role | `bool` | `false` | no |
 | <a name="input_attach_dynamodb_policy"></a> [attach\_dynamodb\_policy](#input\_attach\_dynamodb\_policy) | Determines whether to attach the dynamodb policy to the role | `bool` | `false` | no |
@@ -78,7 +79,6 @@ No modules.
 | <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `"arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy"` | no |
 | <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_s3_bucket_arns"></a> [s3\_bucket\_arns](#input\_s3\_bucket\_arns) | List of S3 Bucket ARNs to allow access to | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| <a name="input_secret_arns"></a> [secret\_arns](#input\_secret\_arns) | ARNs of secrets in secrets manager to add to policy | `list(string)` | `[]` | no |
 | <a name="input_sops_arn"></a> [sops\_arn](#input\_sops\_arn) | SOPS ARN to allow access to | `string` | `""` | no |
 | <a name="input_sqs_read_write_arns"></a> [sqs\_read\_write\_arns](#input\_sqs\_read\_write\_arns) | List of SQS ARNs to allow read/write access to | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |

diff --git a/policies.tf b/policies.tf
@@ -142,24 +142,28 @@ resource "aws_iam_role_policy_attachment" "dynamodb" {
   policy_arn = aws_iam_policy.dynamodb[0].arn
 }
 
+locals {
+  create_secrets_manager_policy = var.create_role && var.attach_secretsmanager_policy && length(var.asm_secret_arns) > 0
+}
+
 ################################################################################
 # AWS Secrets Manager Policy
 ################################################################################
 data "aws_iam_policy_document" "secrets-manager" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  count = local.create_secrets_manager_policy ? 1 : 0
 
   statement {
     sid = "SecretsManagerRead"
     actions = [
       "secretsmanager:GetSecretValue",
       "secretsmanager:DescribeSecret"
     ]
-    resources = var.secret_arns
+    resources = var.asm_secret_arns
   }
 }
 
 resource "aws_iam_policy" "secrets-manager" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  count = local.create_secrets_manager_policy ? 1 : 0
 
   name_prefix = "${var.policy_name_prefix}${var.app_name}-"
   path        = var.role_path
@@ -170,7 +174,7 @@ resource "aws_iam_policy" "secrets-manager" {
 }
 
 resource "aws_iam_role_policy_attachment" "secrets-manager" {
-  count = var.create_role && var.attach_secretsmanager_policy ? 1 : 0
+  count = local.create_secrets_manager_policy ? 1 : 0
 
   role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.secrets-manager[0].arn

diff --git a/variables.tf b/variables.tf
@@ -130,15 +130,16 @@ variable "attach_secretsmanager_policy" {
   default     = false
 }
 
-variable "secret_arns" {
-  description = "ARNs of secrets in secrets manager to add to policy"
+variable "asm_secret_arns" {
+  description = "ARNs of secrets in AWS secrets manager (ASM) to add to policy"
   type        = list(string)
   default     = []
   validation {
-    condition     = !anytrue([for arn in var.secret_arns : (length(regexall("\\*|\\?", arn)) == 0 ? false : true)])
+    condition     = !anytrue([for arn in var.asm_secret_arns : (length(regexall("\\*|\\?", arn)) == 0 ? false : true)])
     error_message = "No '*' or '?' allowed in secret_arns variable"
   }
 }
+
 variable "attach_insights_policy" {
   description = "Determines whether to attach the CloudWatch Insights policy to the role"
   type        = bool