[bugfix] Fix secretsmanager execution role IAM policy in aws-ecs-job (#144)

mbarrien · web-flow · commit 4dee504e7588 · 2019-10-10T11:12:13.000-07:00
diff --git a/aws-ecs-job-fargate/iam.tf b/aws-ecs-job-fargate/iam.tf
@@ -27,26 +27,11 @@ resource "aws_iam_role_policy_attachment" "task_execution_role" {
 data "aws_iam_policy_document" "registry_secretsmanager" {
   count = var.registry_secretsmanager_arn != null ? 1 : 0
 
-  statement {
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [var.registry_secretsmanager_arn]
-  }
-
   statement {
     actions = [
       "secretsmanager:GetSecretValue",
     ]
 
-    # Limit to only current version of the secret
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "secretsmanager:VersionStage"
-      values   = ["AWSCURRENT"]
-    }
-
     resources = [var.registry_secretsmanager_arn]
   }
 }
diff --git a/aws-ecs-job/iam.tf b/aws-ecs-job/iam.tf
@@ -28,26 +28,11 @@ resource "aws_iam_role_policy_attachment" "task_execution_role" {
 data "aws_iam_policy_document" "registry_secretsmanager" {
   count = var.registry_secretsmanager_arn != null ? 1 : 0
 
-  statement {
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [var.registry_secretsmanager_arn]
-  }
-
   statement {
     actions = [
       "secretsmanager:GetSecretValue",
     ]
 
-    # Limit to only current version of the secret
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "secretsmanager:VersionStage"
-      values   = ["AWSCURRENT"]
-    }
-
     resources = [var.registry_secretsmanager_arn]
   }
 }
