feat: Support policies for secrets

BREAKING CHANGE: Input format for the secrets has changed

Author: terranisu

locals.tf

@@ -0,0 +1,4 @@
+locals {
+  secrets = { for secret in var.secrets : secret.name => secret.value }
+  arns    = { for secret in var.secrets : secret.name => secret.allowed_arns if length(secret.allowed_arns) > 0 }
+}

main.tf

@@ -1,17 +1,35 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "access" {
+  for_each = local.arns
+
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = each.value
+    }
+
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = ["arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${var.app_name}-${each.key}*"]
+  }
+}
+
 resource "aws_secretsmanager_secret" "app" {
-  for_each = var.secrets
+  for_each = local.secrets
 
   name_prefix = "${var.app_name}-${each.key}"
   description = "The ${title(replace(each.key, "-", " "))} secret for ${var.app_name} application"
 
+  policy = lookup(local.arns, each.key, null) == null ? null : data.aws_iam_policy_document.access[each.key].json
+
   tags = merge(var.tags, { "service" = var.app_name })
 }
 
 resource "aws_secretsmanager_secret_version" "app" {
-  for_each = var.secrets
+  for_each = local.secrets
 
   secret_id     = aws_secretsmanager_secret.app[each.key].id
-  secret_string = each.value
+  secret_string = each.value != "" ? each.value : "[value required]"
 
   lifecycle {
     ignore_changes = [secret_string]

outputs.tf

@@ -1,9 +1,9 @@
 output "all" {
   description = "Map of names and arns of created secrets"
   value = [
-    for k in keys(var.secrets) : {
-      name = upper(replace(k, "-", "_"))
-      arn  = aws_secretsmanager_secret.app[k].id
+    for name in keys(local.secrets) : {
+      name = upper(replace(name, "-", "_"))
+      arn  = aws_secretsmanager_secret.app[name].id
     }
   ]
 }

variables.tf

@@ -3,9 +3,22 @@ variable "app_name" {
   type        = string
 }
 
+variable "aws_region" {
+  description = "AWS region"
+  type        = string
+
+  default = "us-east-2"
+}
+
 variable "secrets" {
-  description = "Key-value map of secrets"
-  type        = map(string)
+  description = "List of objects of secrets"
+  type = list(
+    object({
+      name         = string
+      value        = string
+      allowed_arns = list(string)
+    })
+  )
 }
 
 variable "tags" {