I have an existing IAM policy attached to a role. Each time a new secret is created in the Secrets Manager, I need to append the new ARN to the policy. Can this be done with Terraform? I've managed to import the policy into the terraform.state file, but I don't know how to: 1) Append a new ARN inside the "Resources" list 2) Push the change to AWS
This is how the policy looks now:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"SECRET_ARN_1",
"SECRET_ARN_2",
"SECRET_ARN_3"
]
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "KMS_ARN"
}
]
}
And this is how I need it to look:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"SECRET_ARN_1",
"SECRET_ARN_2",
"SECRET_ARN_3",
"MY_BRAND_NEW_SECRET_ARN"
]
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "KMS_ARN"
}
]
}
The following import is working by importing the existing policy to the object aws_iam_policy.mysimplepolicy, but I don't know how to proceed from here.
terraform import aws_iam_policy.mysimplepolicy <MY_POLICY_ARN>