[Feature] Add variable for AWS secrets #53
Description
ISSUE
With the current code, we are getting trivy errors for the github-aws-oidc module:
resource "aws_iam_role_policy" "organizations_role_policy" {
name = "organizations-tf-state-management-policy"
role = aws_iam_role.organizations_role.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
...
{
Sid = "AllowSecretRead"
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy"
]
Effect = "Allow"
Resource = aws
Condition = {
StringEquals = {
"secretsmanager:ResourceTag/Purpose" = local.rg_tags["Purpose"]
}
}
},
...
}
Resulting in:
HIGH: IAM policy document uses sensitive action 'secretsmanager:GetSecretValue' on wildcarded resource '*'
════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.
See https://avd.aquasec.com/misconfig/avd-aws-0057
────────────────────────────────────────
oidc.tf:47
via oidc.tf:47 (aws_iam_role_policy.organizations_role_policy.policy)
via oidc.tf:46-98 (aws_iam_role_policy.organizations_role_policy.policy)
via oidc.tf:42-99 (aws_iam_role_policy.organizations_role_policy)
────────────────────────────────────────
42 resource "aws_iam_role_policy" "organizations_role_policy" {
..
47 [ Version = "2012-10-17"
..
99 }
────────────────────────────────────────
In order to avoid the error, for now, we have ignored it. We wish the user to be able to set any secret name they choose.
In order to satisfy both conditions, we should make the secret names a variable that the user must supply.