Merge pull request #157 from uktrade/feat/allow-multiple-secrets-airflow

feat: allow multiple secrets for Airflow teams
uktrade · Nov 12, 2024 · 393eedd · 393eedd
2 parents 45b0ba2 + a37f6e0
commit 393eedd
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/infra/airflow_dag_processor.tf b/infra/airflow_dag_processor.tf
@@ -235,7 +235,20 @@ data "aws_iam_policy_document" "airflow_team" {
     ]
 
     resources = [
-      "arn:aws:secretsmanager:${data.aws_region.aws_region.name}:${data.aws_caller_identity.aws_caller_identity.account_id}:secret:${var.prefix}/airflow/${var.airflow_dag_processors[count.index].name}-*"
+      "arn:aws:secretsmanager:${data.aws_region.aws_region.name}:${data.aws_caller_identity.aws_caller_identity.account_id}:secret:${var.prefix}/airflow/${var.airflow_dag_processors[count.index].name}-*",
+      "arn:aws:secretsmanager:${data.aws_region.aws_region.name}:${data.aws_caller_identity.aws_caller_identity.account_id}:secret:${var.prefix}/airflow/${var.airflow_dag_processors[count.index].name}_2-*"
+    ]
+  }
+
+  # This just gives a permission to call BatchGetSecretValue, but doesn't actually give permission
+  # to look at any secret values themselves - secretsmanager:GetSecretValue does that
+  statement {
+    actions = [
+      "secretsmanager:BatchGetSecretValue"
+    ]
+
+    resources = [
+      "*"
     ]
   }