Merge pull request #15 from sysdiglabs/fix-add-role-proxy-password

sysdiglabs · Feb 13, 2023 · 1d60a4d · 1d60a4d
2 parents 38ef28f + 68c3378
commit 1d60a4d
Showing 1 changed file with 30 additions and 5 deletions.
diff --git a/roles.tf b/roles.tf
@@ -1,5 +1,6 @@
 locals {
-  secret_reference = local.do_fetch_secret_access_key ? split(":", var.access_key) : []
+  secret_reference_access_key = local.do_fetch_secret_access_key ? split(":", var.access_key) : []
+  secret_reference_http_proxy_password = local.do_fetch_secret_http_proxy_password ? split(":", var.http_proxy_configuration.proxy_password) : []
 }
 
 resource "aws_iam_role" "orchestrator_agent_execution_role" {
@@ -10,7 +11,7 @@ resource "aws_iam_role" "orchestrator_agent_execution_role" {
   dynamic "inline_policy" {
     for_each = local.do_fetch_secret_access_key ? ["SecretsManagerAccessKey"] : []
     content {
-      name = "root"
+      name = "SysdigGetSecretAccessKey"
       policy = jsonencode({
         Version = "2012-10-17"
         Statement = [
@@ -20,9 +21,33 @@ resource "aws_iam_role" "orchestrator_agent_execution_role" {
             ]
             Effect = "Allow"
             Resource = [format("arn:aws:secretsmanager:%s:%s:secret:%s",
-              element(local.secret_reference, 3),
-              element(local.secret_reference, 4),
-              element(local.secret_reference, 6)
+              element(local.secret_reference_access_key, 3),
+              element(local.secret_reference_access_key, 4),
+              element(local.secret_reference_access_key, 6)
+              )
+            ]
+          },
+        ]
+      })
+    }
+  }
+
+  dynamic "inline_policy" {
+    for_each = local.do_fetch_secret_http_proxy_password ? ["SysdigGetSecretHttpProxyPassword"] : []
+    content {
+      name = "SysdigGetSecretHttpProxyPassword"
+      policy = jsonencode({
+        Version = "2012-10-17"
+        Statement = [
+          {
+            Action = [
+              "secretsmanager:GetSecretValue",
+            ]
+            Effect = "Allow"
+            Resource = [format("arn:aws:secretsmanager:%s:%s:secret:%s",
+              element(local.secret_reference_http_proxy_password, 3),
+              element(local.secret_reference_http_proxy_password, 4),
+              element(local.secret_reference_http_proxy_password, 6)
               )
             ]
           },