Support multiple services in params reader policy (#121)

Author: mbarrien

aws-params-reader-policy/README.md

@@ -8,6 +8,7 @@ Creates a policy to access encrypted parameters in Parameter Store for a given s
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | env | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| extra_services | Extra services to be given parameter read access to, within the same project and environment. | list(string) | `[]` | no |
 | parameter\_store\_key\_alias | Alias of the encryption key used to encrypt parameter store values. | string | `"parameter_store_key"` | no |
 | project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
 | region | Region the parameter store values can be read from. Defaults to all. | string | `"*"` | no |

aws-params-reader-policy/main.tf

@@ -1,5 +1,10 @@
 locals {
   resource_name = "${var.project}-${var.env}-${var.service}"
+  services      = concat([var.service], var.extra_services)
+
+  param_resources = [
+    for serv in local.services : "arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/${var.project}-${var.env}-${serv}/*"
+  ]
 }
 
 data "aws_caller_identity" "current" {}
@@ -18,7 +23,7 @@ data "aws_iam_policy_document" "policy" {
       "ssm:DescribeParameters",
     ]
 
-    resources = ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/${local.resource_name}/*"]
+    resources = local.param_resources
   }
 
   statement {

aws-params-reader-policy/variables.tf

@@ -29,3 +29,9 @@ variable "region" {
   description = "Region the parameter store values can be read from. Defaults to all."
   type        = "string"
 }
+
+variable "extra_services" {
+  type        = list(string)
+  description = "Extra services to be given parameter read access to, within the same project and environment."
+  default     = []
+}