From e01963adb1face8c3c063303164cf4a719e60c0d Mon Sep 17 00:00:00 2001
From: Brett Delle Grazie <brett.dellegrazie@gmail.com>
Date: Fri, 3 Oct 2025 08:53:29 +0200
Subject: [PATCH] fix: correct IAM policy BatchGetSecretValue in external
 secrets

In accordance with the external-secrets documentation here:
https://external-secrets.io/v0.20.1/provider/aws-secrets-manager/#iam-policy
and AWS docs here:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_iam-policies.html#auth-and-access_examples_batch
secretsmanager:BatchGetSecretValue should be against resource "*" rather
than the individual secret.

closes #475
---
 main.tf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index d324bd30..88293827 100644
--- a/main.tf
+++ b/main.tf
@@ -2407,7 +2407,10 @@ data "aws_iam_policy_document" "external_secrets" {
     for_each = length(var.external_secrets_secrets_manager_arns) > 0 ? [1] : []
 
     content {
-      actions   = ["secretsmanager:ListSecrets"]
+      actions = [
+        "secretsmanager:ListSecrets",
+        "secretsmanager:BatchGetSecretValue",
+      ]
       resources = ["*"]
     }
   }
@@ -2421,7 +2424,6 @@ data "aws_iam_policy_document" "external_secrets" {
         "secretsmanager:GetSecretValue",
         "secretsmanager:DescribeSecret",
         "secretsmanager:ListSecretVersionIds",
-        "secretsmanager:BatchGetSecretValue",
       ]
       resources = var.external_secrets_secrets_manager_arns
     }