Page MenuHomePhabricator
Files F3353850

D12505.diff
No OneTemporary
Actions

D12505.diff
View Options

diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -103,11 +103,34 @@
managed_policy_arns = [
aws_iam_policy.allow_ecs_exec.arn,
+ aws_iam_policy.read_services_token.arn,
"arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
]
}
+# Services token read policy
+data "aws_iam_policy_document" "read_services_token" {
+ statement {
+ sid = "SecretsManagerReadServicesToken"
+ effect = "Allow"
+ actions = [
+ "secretsmanager:GetResourcePolicy",
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:DescribeSecret",
+ "secretsmanager:ListSecretVersionIds"
+ ]
+ resources = [
+ module.shared.services_token_id
+ ]
+ }
+}
+resource "aws_iam_policy" "read_services_token" {
+ name = "service-to-service-token-read-access"
+ policy = data.aws_iam_policy_document.read_services_token.json
+ description = "Allows full read access to service-to-service token SecretsManager secret"
+}
+
# Feature Flags IAM
data "aws_iam_policy_document" "read_feature_flags" {
statement {
@@ -164,7 +187,8 @@
managed_policy_arns = [
aws_iam_policy.allow_ecs_exec.arn,
- aws_iam_policy.manage_backup_ddb.arn
+ aws_iam_policy.manage_backup_ddb.arn,
+ aws_iam_policy.read_services_token.arn,
]
}
@@ -192,10 +216,12 @@
managed_policy_arns = [
aws_iam_policy.allow_ecs_exec.arn,
- aws_iam_policy.manage_reports_ddb.arn
+ aws_iam_policy.manage_reports_ddb.arn,
+ aws_iam_policy.read_services_token.arn,
]
}
+# Identity Search
data "aws_iam_policy_document" "assume_identity_search_role" {
statement {

File Metadata

Mime Type
text/plain
Expires
Sun, Nov 24, 11:32 AM (21 h, 22 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2575228
Default Alt Text
D12505.diff (1 KB)

Event Timeline