From 8d4230ec362ff1c91b4b0a7c77bbc607d47d097d Mon Sep 17 00:00:00 2001
From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date: Fri, 1 Dec 2023 09:53:03 +0000
Subject: [PATCH] DSOS-2423: ssm and secrets policy fix (#258)

* DSOS-2423: fix bug with ssm params and secrets policy

* fix

* permission fix

* fix

* fix

* fix

* test

* test

* fix
---
 main.tf | 43 +++++++++++++++++++++++++------------------
 1 file changed, 25 insertions(+), 18 deletions(-)

diff --git a/main.tf b/main.tf
index 35b7024..07710b9 100644
--- a/main.tf
+++ b/main.tf
@@ -293,23 +293,30 @@ resource "aws_secretsmanager_secret" "placeholder" {
 #------------------------------------------------------------------------------
 
 data "aws_iam_policy_document" "ssm_params_and_secrets" {
-  statement {
-    effect = "Allow"
-    actions = flatten([
-      "ssm:GetParameter",
-      length(aws_ssm_parameter.placeholder) != 0 ? ["ssm:PutParameter"] : []
-    ])
-    #tfsec:ignore:aws-iam-no-policy-wildcards: acccess scoped to parameter path of EC2
-    resources = ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.id}:parameter/${var.ssm_parameters_prefix}${var.name}/*"]
+  count = var.ssm_parameters != null || var.secretsmanager_secrets != null ? 1 : 0
+  dynamic "statement" {
+    for_each = var.ssm_parameters != null ? ["ssm"] : []
+    content {
+      effect = "Allow"
+      actions = flatten([
+        "ssm:GetParameter",
+        length(aws_ssm_parameter.placeholder) != 0 ? ["ssm:PutParameter"] : []
+      ])
+      #tfsec:ignore:aws-iam-no-policy-wildcards: acccess scoped to parameter path of EC2
+      resources = ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.id}:parameter/${var.ssm_parameters_prefix}${var.name}/*"]
+    }
   }
-  statement {
-    effect = "Allow"
-    actions = flatten([
-      "secretsmanager:GetSecretValue",
-      "secretsmanager:PutSecretValue"
-    ])
-    #tfsec:ignore:aws-iam-no-policy-wildcards: acccess scoped to parameter path of EC2
-    resources = ["arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.id}:secret:/${var.secretsmanager_secrets_prefix}${var.name}/*"]
+  dynamic "statement" {
+    for_each = var.secretsmanager_secrets != null ? ["secret"] : []
+    content {
+      effect = "Allow"
+      actions = flatten([
+        "secretsmanager:GetSecretValue",
+        length(aws_secretsmanager_secret.placeholder) != 0 ? ["secretsmanager:PutSecretValue"] : []
+      ])
+      #tfsec:ignore:aws-iam-no-policy-wildcards: acccess scoped to parameter path of EC2
+      resources = ["arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.id}:secret:/${var.secretsmanager_secrets_prefix}${var.name}/*"]
+    }
   }
 }
 
@@ -344,10 +351,10 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy" "ssm_params_and_secrets" {
-  count  = var.ssm_parameters != null && var.secretsmanager_secrets != null ? 1 : 0
+  count  = length(data.aws_iam_policy_document.ssm_params_and_secrets)
   name   = "Ec2SSMParamsAndSecretsPolicy-${var.name}"
   role   = aws_iam_role.this.id
-  policy = data.aws_iam_policy_document.ssm_params_and_secrets.json
+  policy = data.aws_iam_policy_document.ssm_params_and_secrets[count.index].json
 }
 
 resource "aws_iam_instance_profile" "this" {