Skip to content

Commit bba670e

Browse files
TheOneFromNorwayTheOneFromNorway
committed
Remove redundant policy scoping
The prometheus and cloudwatch agent configs are ssmParameters not secrets
1 parent 96c2bad commit bba670e

2 files changed

Lines changed: 4 additions & 2 deletions

File tree

terraform/app/iam_policy_documents.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ data "aws_iam_policy_document" "ecs_secrets_access" {
3030
content {
3131
sid = "dbSecretSid"
3232
actions = ["secretsmanager:GetSecretValue"]
33-
resources = concat([for kv_pair in local.secret_values[each.key] : kv_pair["valueFrom"]], [aws_ssm_parameter.prometheus_config.arn, aws_ssm_parameter.cloudwatch_agent_config.arn])
33+
resources = [for kv_pair in local.secret_values[each.key] : kv_pair["valueFrom"]]
3434
effect = "Allow"
3535
}
3636
}

terraform/app/ssm_parameters.tf

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,5 +36,7 @@ resource "aws_ssm_parameter" "cloudwatch_agent_config" {
3636
type = "String"
3737
tier = "Intelligent-Tiering"
3838
description = "CWAgent SSM Parameter for ECS Cluster: ${aws_ecs_cluster.cluster.name}"
39-
value = templatefile("templates/cloudwatch_agent_config.json.tpl", { log_group_name = aws_cloudwatch_log_group.ecs_log_group.name })
39+
value = templatefile("templates/cloudwatch_agent_config.json.tpl", {
40+
log_group_name = aws_cloudwatch_log_group.ecs_log_group.name
41+
})
4042
}

0 commit comments

Comments
 (0)