add support for a non default secretsmanager key

telia-oss · May 7, 2019 · 456c8d0 · 456c8d0
1 parent 2a4d7ee
commit 456c8d0
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/policies.tf b/policies.tf
@@ -47,16 +47,22 @@ data "aws_iam_policy_document" "task_execution_permissions" {
   }
 }
 
+data "aws_kms_key" "secretsmanager_key" {
+  key_id = "${var.repository_credentials_kms_key}"
+}
+
 data "aws_iam_policy_document" "read_repository_credentials" {
   statement {
     effect = "Allow"
 
     resources = [
       "${var.repository_credentials}",
+      "${data.aws_kms_key.secretsmanager_key.arn}",
     ]
 
     actions = [
       "secretsmanager:GetSecretValue",
+      "kms:Decrypt",
     ]
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -113,6 +113,11 @@ variable "repository_credentials" {
   description = "name or ARN of a secrets manager secret (arn:aws:secretsmanager:region:aws_account_id:secret:secret_name)"
 }
 
+variable "repository_credentials_kms_key" {
+  default     = "alias/aws/secretsmanager"
+  description = "key id, key ARN, alias name or alias ARN of the key that encrypted the repository credentials"
+}
+
 locals {
   # if the variable is set, create the fragment based on the variable value
   # if not, just return a empty string to not mess up the json