From f723ac2c25a732d9333f9c6428a1df43f3d05cc5 Mon Sep 17 00:00:00 2001
From: kaushik327 <kaushik.r.varadharajan@gmail.com>
Date: Fri, 26 Apr 2024 22:40:52 -0500
Subject: [PATCH] cloudformation my beloved

---
 cloudformation/lambda.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cloudformation/lambda.yml b/cloudformation/lambda.yml
index 9453325..710037d 100644
--- a/cloudformation/lambda.yml
+++ b/cloudformation/lambda.yml
@@ -33,6 +33,11 @@ Parameters:
     AllowedPattern: ^[a-zA-Z0-9]+[a-zA-Z0-9-]+[a-zA-Z0-9]+$
     Default: infra-admin-api-auth-lambda
 
+  AADSecretName:
+    Type: String
+    AllowedPattern: ^[a-zA-Z0-9]+[a-zA-Z0-9-]+[a-zA-Z0-9]+$
+    Default: infra-admin-api-aad-secret
+
 Conditions:
   UseCustomDomainNameCond: !Equals [!Ref UseCustomDomainName, true]
   IsProd: !Equals [!Ref Env, 'prod']
@@ -271,6 +276,15 @@ Resources:
                 Resource:
                   - !GetAtt MyDynamoDBTable.Arn
           PolicyName: lambda-dynamo
+        - PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Action:
+                  - secretsmanager:GetSecretValue
+                Effect: Allow
+                Resource:
+                  - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${AADSecretName}*
+          PolicyName: lambda-secret
 
   AdminAPIAuthLambdaLogGroup:
     Type: AWS::Logs::LogGroup