[bugfix] fix permissions on aws-ecs-service secrets (#143)

chanzuckerberg · Oct 9, 2019 · 133cb5c · 133cb5c
1 parent 10727b6
commit 133cb5c
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 30 deletions.
diff --git a/aws-ecs-service-fargate/iam.tf b/aws-ecs-service-fargate/iam.tf
@@ -26,26 +26,11 @@ resource "aws_iam_role_policy_attachment" "task_execution_role" {
 data "aws_iam_policy_document" "registry_secretsmanager" {
   count = var.registry_secretsmanager_arn != null ? 1 : 0
 
-  statement {
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [var.registry_secretsmanager_arn]
-  }
-
   statement {
     actions = [
       "secretsmanager:GetSecretValue",
     ]
 
-    # Limit to only current version of the secret
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "secretsmanager:VersionStage"
-      values   = ["AWSCURRENT"]
-    }
-
     resources = [var.registry_secretsmanager_arn]
   }
 }

diff --git a/aws-ecs-service/iam.tf b/aws-ecs-service/iam.tf
@@ -27,26 +27,11 @@ resource "aws_iam_role_policy_attachment" "task_execution_role" {
 data "aws_iam_policy_document" "registry_secretsmanager" {
   count = var.registry_secretsmanager_arn != null ? 1 : 0
 
-  statement {
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [var.registry_secretsmanager_arn]
-  }
-
   statement {
     actions = [
       "secretsmanager:GetSecretValue",
     ]
 
-    # Limit to only current version of the secret
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "secretsmanager:VersionStage"
-      values   = ["AWSCURRENT"]
-    }
-
     resources = [var.registry_secretsmanager_arn]
   }
 }