Hi @apparentlymart this works great in my testing here, thanks very much.
However, (And I think this is a tangent here), I’m not sure how I can make this conditional because when I leave the list empty, I end up with an empty policy. Any idea how I can get around this?
If I use:
locals {
lambda_secrets_access = {
"dev" = [""]
}
I get:
Terraform will perform the following actions:
# aws_iam_role_policy.iam_policy_for_lambda_secrets will be updated in-place
~ resource "aws_iam_role_policy" "iam_policy_for_lambda_secrets" {
id = "policy_id:policy_id"
name = "policy_name"
~ policy = jsonencode(
~ {
~ Statement = [
~ {
Action = "secretsmanager:GetSecretValue"
Effect = "Allow"
~ Resource = [
- "arn:aws:secretsmanager:eu-west-1:111111111111:secret:my-secret-i-want-access-JHKku8",
+ "arn:aws:secretsmanager:eu-west-1:111111111111:secret:",
]
},
]
Version = "2012-10-17"
}
)
role = "role_name"
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions in workspace "dev"?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
I tried adding a count statement on the resource:
count = local.lambda_secrets_access[local.environment] != "" ? 1 : 0
But this does not seem to help, the resource still is created incomplete, rather than not at all.
I googled and I’m not sure how conditional resources are implemented into Terraform.
It seems that this isnt a feature at all, and count is used by some to get around it.