chore: correct github perms

Author: Sophie Haskins

terraform/modules/gost_api/secrets.tf

@@ -41,11 +41,6 @@ data "aws_ssm_parameter" "datadog_api_key" {
   name = "${var.ssm_path_prefix}/datadog/api_key"
 }
 
-data "aws_ssm_parameter" "github_docker_credentials" {
-  count = var.enabled ? 1 : 0
-  name  = "${var.ssm_path_prefix}/github/docker_credentials"
-}
-
 module "decrypt_secrets_policy" {
   source  = "cloudposse/iam-policy/aws"
   version = "2.0.1"
@@ -77,7 +72,6 @@ module "decrypt_secrets_policy" {
             join("", data.aws_ssm_parameter.datadog_api_key[*].arn),
             join("", aws_ssm_parameter.postgres_connection_string[*].arn),
             join("", aws_ssm_parameter.cookie_secret[*].arn),
-            join("", data.aws_ssm_parameter.github_docker_credentials[*].arn),
           ])
         }
       ]

terraform/modules/gost_api/task.tf

@@ -158,10 +158,35 @@ resource "aws_iam_role" "execution" {
   })
 }
 
+data "aws_secretsmanager_secret" "github_docker_credentials" {
+  name = "${var.ssm_path_prefix}/github/docker_credentials"
+}
+
+module "decrypt_github_credentials_policy" {
+  source  = "cloudposse/iam-policy/aws"
+  version = "1.0.1"
+  context = module.this.context
+
+  name = "decrypt-github-credentials"
+
+  iam_policy_statements = {
+    GetSecretValue = {
+      effect = "Allow"
+      actions = [
+        "secretsmanager:GetSecretValue",
+      ]
+      resources = [
+        data.aws_secretsmanager_secret.github_docker_credentials.arn,
+      ]
+    }
+  }
+}
+
 resource "aws_iam_role_policy" "execution" {
   for_each = !var.enabled ? {} : {
-    decrypt-secrets = module.decrypt_secrets_policy.json
-    write-api-logs  = module.write_api_logs_policy.json
+    decrypt-secrets      = module.decrypt_secrets_policy.json
+    write-api-logs       = module.write_api_logs_policy.json
+    decrypt-github-creds = module.decrypt_github_credentials_policy.json
   }
 
   name   = each.key

terraform/modules/gost_consume_grants/compute.tf

@@ -157,6 +157,30 @@ resource "aws_iam_role" "execution" {
   })
 }
 
+data "aws_secretsmanager_secret" "github_docker_credentials" {
+  name = "${var.ssm_path_prefix}/github/docker_credentials"
+}
+
+module "decrypt_github_credentials_policy" {
+  source  = "cloudposse/iam-policy/aws"
+  version = "1.0.1"
+  context = module.this.context
+
+  name = "decrypt-github-credentials"
+
+  iam_policy_statements = {
+    GetSecretValue = {
+      effect = "Allow"
+      actions = [
+        "secretsmanager:GetSecretValue",
+      ]
+      resources = [
+        data.aws_secretsmanager_secret.github_docker_credentials.arn,
+      ]
+    }
+  }
+}
+
 resource "aws_iam_role_policy" "execution" {
   for_each = {
     decrypt-datadog-api-key = module.decrypt_datadog_api_key_policy.json

terraform/modules/gost_consume_grants/datadog.tf

@@ -16,9 +16,6 @@ locals {
 data "aws_ssm_parameter" "datadog_api_key" {
   name = "${var.ssm_path_prefix}/datadog/api_key"
 }
-data "aws_ssm_parameter" "github_docker_credentials" {
-  name = "${var.ssm_path_prefix}/github/docker_credentials"
-}
 
 module "decrypt_datadog_api_key_policy" {
   source  = "cloudposse/iam-policy/aws"
@@ -34,7 +31,6 @@ module "decrypt_datadog_api_key_policy" {
       resources = [
         data.aws_ssm_parameter.datadog_api_key.arn,
         data.aws_kms_key.ssm.arn,
-        data.aws_ssm_parameter.github_docker_credentials.arn,
       ]
     }
     GetSecretParameters = {
@@ -45,7 +41,6 @@ module "decrypt_datadog_api_key_policy" {
       ]
       resources = [
         data.aws_ssm_parameter.datadog_api_key.arn,
-        data.aws_ssm_parameter.github_docker_credentials.arn
       ]
     }
   }

terraform/modules/sqs_consumer_task/compute.tf

@@ -215,7 +215,6 @@ module "decrypt_github_credentials_policy" {
   }
 }
 
-
 resource "aws_iam_role_policy" "execution" {
   for_each = {
     decrypt-datadog-api-key = module.decrypt_datadog_api_key_policy.json