From fa74a1817cf5aa49cb1ff30f2b1946be706fc640 Mon Sep 17 00:00:00 2001
From: Alexander Schaber <a.schaber@cuegee.com>
Date: Thu, 31 Aug 2023 00:47:46 +0200
Subject: [PATCH] fix: Expand Permissions for external-secrets IRSA Policy
 towards AWS Secrets Manager (#416)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
---
 .../policies.tf                               | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index 69dbca14..53d062c2 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -501,9 +501,7 @@ data "aws_iam_policy_document" "external_secrets" {
   }
 
   statement {
-    actions = [
-      "kms:Decrypt"
-    ]
+    actions   = ["kms:Decrypt"]
     resources = var.external_secrets_kms_key_arns
   }
 
@@ -511,11 +509,26 @@ data "aws_iam_policy_document" "external_secrets" {
     for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []
     content {
       actions = [
-        "secretsmanager:CreateSecret"
+        "secretsmanager:CreateSecret",
+        "secretsmanager:PutSecretValue",
+        "secretsmanager:TagResource",
       ]
       resources = var.external_secrets_secrets_manager_arns
     }
   }
+
+  dynamic "statement" {
+    for_each = var.external_secrets_secrets_manager_create_permission ? [1] : []
+    content {
+      actions   = ["secretsmanager:DeleteSecret"]
+      resources = var.external_secrets_secrets_manager_arns
+      condition {
+        test     = "StringEquals"
+        variable = "secretsmanager:ResourceTag/managed-by"
+        values   = ["external-secrets"]
+      }
+    }
+  }
 }
 
 resource "aws_iam_policy" "external_secrets" {