Merge pull request #10 from GSA/fix_iam

Brian Fitzwater - IDI-C · web-flow · commit 3a8ab9e40b13 · 2020-09-16T17:20:49.000-04:00
more iam fixes
diff --git a/iam.tf b/iam.tf
@@ -88,7 +88,9 @@ data "aws_iam_policy_document" "policy" {
     effect = "Allow"
     actions = [
       "secretsmanager:GetSecretValue",
-      "secretsmanager:UpdateSecret"
+      "secretsmanager:UpdateSecret",
+      "secretsmanager:PutSecretValue",
+      "secretsmanager:UpdateSecretVersionStage"
     ]
     resources = ["arn:aws:secretsmanager:${var.region}:${local.account_id}:secret:ansible-*"]
   }
diff --git a/lambda.tf b/lambda.tf
@@ -68,3 +68,10 @@ resource "aws_lambda_function" "rotate_keypair" {
 
   depends_on = [aws_iam_role_policy_attachment.attach]
 }
+
+# allow secretsmanager to trigger lambda
+resource "aws_lambda_permission" "secretsmanager_invoke" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.rotate_keypair.function_name
+  principal     = "secretsmanager.amazonaws.com"
+}

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,9 @@ data "aws_iam_policy_document" "policy" {`
`88`	`88`	`effect = "Allow"`
`89`	`89`	`actions = [`
`90`	`90`	`"secretsmanager:GetSecretValue",`
`91`		`- "secretsmanager:UpdateSecret"`
	`91`	`+ "secretsmanager:UpdateSecret",`
	`92`	`+ "secretsmanager:PutSecretValue",`
	`93`	`+ "secretsmanager:UpdateSecretVersionStage"`
`92`	`94`	`]`
`93`	`95`	`resources = ["arn:aws:secretsmanager:${var.region}:${local.account_id}:secret:ansible-*"]`
`94`	`96`	`}`