From d6f080a6d472f37214c1bd9a39148470726eea56 Mon Sep 17 00:00:00 2001
From: SaiPrasannaGopularam
 <110479454+SaiPrasannaGopularam@users.noreply.github.com>
Date: Tue, 28 May 2024 16:11:27 -0400
Subject: [PATCH] Add dynamic statement blocks (#41)

---
 data.tf      | 27 +++++++++++++++++++++++----
 variables.tf |  6 ++++++
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/data.tf b/data.tf
index bdcd8dd..dabb48f 100644
--- a/data.tf
+++ b/data.tf
@@ -77,10 +77,29 @@ data "aws_iam_policy_document" "task_execution_role_policy" {
     resources = concat([var.docker_secret], var.secret_arns)
   }
 
-  statement {
-    effect    = "Allow"
-    actions   = ["kms:Decrypt"]
-    resources = var.encryption_keys
+  dynamic "statement" {
+    for_each = length(var.ssm_param_arns) > 0 ? [1] : []
+
+    content {
+      effect = "Allow"
+      actions = [
+        "ssm:GetParameter",
+        "ssm:GetParameters"
+      ]
+      resources = var.ssm_param_arns
+    }
+  }
+
+  dynamic "statement" {
+    for_each = length(var.encryption_keys) > 0 ? [1] : []
+
+    content {
+      effect = "Allow"
+      actions = [
+        "kms:Decrypt"
+      ]
+      resources = var.encryption_keys
+    }
   }
 
   statement {
diff --git a/variables.tf b/variables.tf
index a84046b..f5d216e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -330,3 +330,9 @@ variable "encryption_keys" {
   type        = list(string)
   default     = []
 }
+
+variable "ssm_param_arns" {
+  description = "Arn of the ssm parameters that are passed to the container environment"
+  type        = list(string)
+  default     = []
+}