[bugfix] fix permissions on aws-ecs-service secrets (#143)

mbarrien · web-flow · commit 133cb5c3ab7a · 2019-10-09T10:54:43.000-07:00
diff --git a/aws-ecs-service-fargate/iam.tf b/aws-ecs-service-fargate/iam.tf
@@ -26,26 +26,11 @@ resource "aws_iam_role_policy_attachment" "task_execution_role" {
 data "aws_iam_policy_document" "registry_secretsmanager" {
   count = var.registry_secretsmanager_arn != null ? 1 : 0
 
-  statement {
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [var.registry_secretsmanager_arn]
-  }
-
   statement {
     actions = [
       "secretsmanager:GetSecretValue",
     ]
 
-    # Limit to only current version of the secret
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "secretsmanager:VersionStage"
-      values   = ["AWSCURRENT"]
-    }
-
     resources = [var.registry_secretsmanager_arn]
   }
 }
diff --git a/aws-ecs-service/iam.tf b/aws-ecs-service/iam.tf
@@ -27,26 +27,11 @@ resource "aws_iam_role_policy_attachment" "task_execution_role" {
 data "aws_iam_policy_document" "registry_secretsmanager" {
   count = var.registry_secretsmanager_arn != null ? 1 : 0
 
-  statement {
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [var.registry_secretsmanager_arn]
-  }
-
   statement {
     actions = [
       "secretsmanager:GetSecretValue",
     ]
 
-    # Limit to only current version of the secret
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "secretsmanager:VersionStage"
-      values   = ["AWSCURRENT"]
-    }
-
     resources = [var.registry_secretsmanager_arn]
   }
 }
