From e44be70600b64048bd06aa2565036a4b4814f52a Mon Sep 17 00:00:00 2001
From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
Date: Thu, 30 Mar 2023 13:59:37 -0500
Subject: [PATCH] Include execution policy for sentry secret (#10894)

---
 .../dogfood/terraform/aws-tf-module/main.tf      | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/infrastructure/dogfood/terraform/aws-tf-module/main.tf b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
index 7162e5a63e..d979157638 100644
--- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
@@ -88,7 +88,7 @@ module "main" {
       }
     }
     extra_iam_policies           = concat(module.firehose-logging.fleet_extra_iam_policies, module.osquery-carve.fleet_extra_iam_policies)
-    extra_execution_iam_policies = concat(module.mdm.extra_execution_iam_policies)
+    extra_execution_iam_policies = concat(module.mdm.extra_execution_iam_policies, [aws_iam_policy.sentry.arn])
     extra_environment_variables  = merge(module.mdm.extra_environment_variables, module.firehose-logging.fleet_extra_environment_variables, module.osquery-carve.fleet_extra_environment_variables, local.extra_environment_variables)
     extra_secrets                = merge(module.mdm.extra_secrets, local.sentry_secrets)
   }
@@ -157,6 +157,20 @@ resource "aws_secretsmanager_secret_version" "sentry" {
   })
 }
 
+resource "aws_iam_policy" "sentry" {
+  name   = "fleet-sentry-secret-policy"
+  policy = data.aws_iam_policy_document.sentry.json
+}
+
+data "aws_iam_policy_document" "sentry" {
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+    resources = [aws_secretsmanager_secret.sentry.arn]
+  }
+}
+
 module "migrations" {
   source                   = "github.com/fleetdm/fleet//terraform/addons/migrations?ref=main"
   ecs_cluster              = module.main.byo-vpc.byo-db.byo-ecs.service.cluster