fix: Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions (#599)

ohookins · web-flow · commit d6109548613e · 2025-08-18T07:07:23.000-05:00
diff --git a/modules/iam-role-for-service-accounts/policies.tf b/modules/iam-role-for-service-accounts/policies.tf
@@ -483,14 +483,19 @@ data "aws_iam_policy_document" "external_secrets" {
     resources = ["*"]
   }
 
-  statement {
-    actions = [
-      "secretsmanager:GetResourcePolicy",
-      "secretsmanager:GetSecretValue",
-      "secretsmanager:DescribeSecret",
-      "secretsmanager:ListSecretVersionIds"
-    ]
-    resources = var.external_secrets_secrets_manager_arns
+  dynamic "statement" {
+    for_each = length(var.external_secrets_secrets_manager_arns) > 0 ? [1] : []
+
+    content {
+      actions = [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ]
+
+      resources = var.external_secrets_secrets_manager_arns
+    }
   }
 
   dynamic "statement" {
