Allow applications to read secrets

This separates the read/write principals for secrets so that applications are allowed to read their secrets, but not to change them.
thoughtbot · Apr 2, 2024 · 36a2074 · 36a2074
1 parent a87ee1a
commit 36a2074
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/main.tf b/main.tf
@@ -44,7 +44,8 @@ locals {
 
   read_principals = concat(
     local.execution_role_arns,
-    local.read_permission_set_roles
+    local.read_permission_set_roles,
+    [module.pod_role.arn],
   )
 
   readwrite_permission_set_roles = [
@@ -62,11 +63,16 @@ locals {
     module.sso_roles.by_name[name]
   ]
 
-  secret_principals = concat(
+  secret_write_principals = concat(
     local.execution_role_arns,
     local.secret_permission_set_roles
   )
 
+  secret_read_principals = concat(
+    local.secret_write_principals,
+    [module.pod_role.arn]
+  )
+
   secrets = concat(
     module.postgres_admin_login[*],
     module.redis_token[*],

diff --git a/secrets.tf b/secrets.tf
@@ -5,6 +5,8 @@ module "secret_key" {
   description           = "Secret key for ${local.instance_name}"
   environment_variables = [var.secret_key_variable]
   name                  = "${local.instance_name}-secret-key"
+  read_principals       = local.secret_read_principals
+  readwrite_principals  = local.secret_write_principals
 }
 
 module "secret_key_policy" {
@@ -24,8 +26,8 @@ module "developer_managed_secrets" {
   description           = "Developer-managed ${each.key} secrets for ${local.instance_name}"
   environment_variables = each.value
   name                  = "${local.instance_name}-${lower(each.key)}"
-  read_principals       = local.secret_principals
-  readwrite_principals  = local.secret_principals
+  read_principals       = local.secret_read_principals
+  readwrite_principals  = local.secret_write_principals
 }
 
 module "developer_managed_secrets_policy" {