From 6e52b61ef95b8bbe1aeefb9cfed35093d3055efb Mon Sep 17 00:00:00 2001 From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com> Date: Thu, 10 Jul 2025 16:25:20 -0500 Subject: [PATCH] Fix secretsmanager policies in dogfood (#30765) --- .../dogfood/terraform/aws-tf-module/entra.tf | 14 ++++++++++++++ .../dogfood/terraform/aws-tf-module/main.tf | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/infrastructure/dogfood/terraform/aws-tf-module/entra.tf b/infrastructure/dogfood/terraform/aws-tf-module/entra.tf index 14e5769822..3b9455ded2 100644 --- a/infrastructure/dogfood/terraform/aws-tf-module/entra.tf +++ b/infrastructure/dogfood/terraform/aws-tf-module/entra.tf @@ -1,5 +1,19 @@ variable "entra_api_key" {} +resource "aws_iam_policy" "entra_conditional_access" { + name = "fleet-entra-conditional-access" + policy = data.aws_iam_policy_document.entra_conditional_access.json +} + +data "aws_iam_policy_document" "entra_conditional_access" { + statement { + actions = [ + "secretsmanager:GetSecretValue", + ] + resources = [aws_secretsmanager_secret.entra_conditional_access.arn] + } +} + resource "aws_secretsmanager_secret" "entra_conditional_access" { name = "dogfood-entra-conditional-access" } diff --git a/infrastructure/dogfood/terraform/aws-tf-module/main.tf b/infrastructure/dogfood/terraform/aws-tf-module/main.tf index 749e2da1e7..2f6883b2c0 100644 --- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf +++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf @@ -152,7 +152,7 @@ module "main" { ) extra_execution_iam_policies = concat( module.mdm.extra_execution_iam_policies, - [aws_iam_policy.sentry.arn, aws_iam_policy.osquery_sidecar.arn], + [aws_iam_policy.sentry.arn, aws_iam_policy.osquery_sidecar.arn, aws_iam_policy.entra_conditional_access.arn], module.cloudfront-software-installers.extra_execution_iam_policies, ) #, module.saml_auth_proxy.fleet_extra_execution_policies) extra_secrets = merge(