Add dynamic statement blocks (#41)

FitnessKeeper · May 28, 2024 · d6f080a · d6f080a
1 parent fbe38d1
commit d6f080a
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/data.tf b/data.tf
@@ -77,10 +77,29 @@ data "aws_iam_policy_document" "task_execution_role_policy" {
     resources = concat([var.docker_secret], var.secret_arns)
   }
 
-  statement {
-    effect    = "Allow"
-    actions   = ["kms:Decrypt"]
-    resources = var.encryption_keys
+  dynamic "statement" {
+    for_each = length(var.ssm_param_arns) > 0 ? [1] : []
+
+    content {
+      effect = "Allow"
+      actions = [
+        "ssm:GetParameter",
+        "ssm:GetParameters"
+      ]
+      resources = var.ssm_param_arns
+    }
+  }
+
+  dynamic "statement" {
+    for_each = length(var.encryption_keys) > 0 ? [1] : []
+
+    content {
+      effect = "Allow"
+      actions = [
+        "kms:Decrypt"
+      ]
+      resources = var.encryption_keys
+    }
   }
 
   statement {

diff --git a/variables.tf b/variables.tf
@@ -330,3 +330,9 @@ variable "encryption_keys" {
   type        = list(string)
   default     = []
 }
+
+variable "ssm_param_arns" {
+  description = "Arn of the ssm parameters that are passed to the container environment"
+  type        = list(string)
+  default     = []
+}