Skip to content

fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions #599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 18, 2025
Merged

fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions #599

merged 1 commit into from
Aug 18, 2025

Conversation

@ohookins
Copy link
Contributor

@ohookins ohookins commented Aug 18, 2025

Description

Applies the same dynamic trick to the secretsmanager part of the external secrets role policy, so that if we don't grant access to any secrets we don't end up with an apply error.

Motivation and Context

Without supplying any values for var.external_secrets_secrets_manager_arns we end up with a policy statement like this:

                  + {
                      + Action = [
                          + "secretsmanager:ListSecretVersionIds",
                          + "secretsmanager:GetSecretValue",
                          + "secretsmanager:GetResourcePolicy",
                          + "secretsmanager:DescribeSecret",
                        ]
                      + Effect = "Allow"
                    },

This is invalid since it lacks resources and cannot be applied.

Breaking Changes

No breaking change.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

It's such a trivial change I don't believe these are necessary but can circle back to these if you like.

@ohookins ohookins changed the title Make secretsmanager policy statement dynamic. fix: Make secretsmanager policy statement dynamic. Aug 18, 2025
@bryantbiggs bryantbiggs changed the title fix: Make secretsmanager policy statement dynamic. fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions Aug 18, 2025
@bryantbiggs bryantbiggs merged commit d610954 into terraform-aws-modules:master Aug 18, 2025
21 of 22 checks passed
antonbabenko pushed a commit that referenced this pull request Aug 18, 2025
@semantic-release-bot
chore(release): version 6.1.1 [skip ci]
3c66adc 
## [6.1.1](v6.1.0...v6.1.1) (2025-08-18)

### Bug Fixes

* Remove any `secretsmanager:*` permissions if no secret ARNs are provided to IRSA external-secrets permissions ([#599](#599)) ([d610954](d610954))
@antonbabenko
Copy link
Member

antonbabenko commented Aug 18, 2025

This PR is included in version 6.1.1 🎉

@github-actions
Copy link

github-actions bot commented Sep 18, 2025

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ohookins @antonbabenko @bryantbiggs