I have a Lambda which will read a secret from Secret Manager, they all managed by Terraform. So in Terraform I have a definition for this secret:
resource "aws_secretsmanager_secret" "example" {
name = "example"
}
and for Lambda, I have attached a permission to get the secret:
resource "aws_iam_role_policy" "example_role_policy" {
name = "example-role-policy"
role = aws_iam_role.example_lambda_role.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
.....(other needed permissions)
},
{
"Sid": "GetDatabaseSecret",
"Effect":"Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "${local.secret_arn}"
}
]
}
POLICY
}
I have secret_arn defined in variables:
locals{
secret_arn = "arn:aws:secretsmanager:::us-east-1:${local.account_number}:secret:${aws_secretsmanager_secret.example}-*"
}
When I apply Terraform, it gave me error:
Error: Invalid template interpolation value
on ..\..\xxx\terraform\variables.tf line 39, in locals:
39: secret_arn = "arn:aws:secretsmanager:::us-east-1:${local.account_number}:secret:${aws_secretsmanager_secret.example}-*"
|----------------
| aws_secretsmanager_secret.example is object with 12 attributes
Cannot include the given value in a string template: string required.
I tried to replae *with ?????? in the secrect_arn but still not working, couldn't find anything useful online, might someone be able to help? Many thanks.
Your local.secret_arn should be using ${aws_secretsmanager_secret.example.name}-*", not ${aws_secretsmanager_secret.example}-*".
But the easiest way to get the arn in your policy it would be simply:
resource "aws_iam_role_policy" "example_role_policy" {
name = "example-role-policy"
role = aws_iam_role.example_lambda_role.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
.....(other needed permissions)
},
{
"Sid": "GetDatabaseSecret",
"Effect":"Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "${aws_secretsmanager_secret.example.arn}"
}
]
}
POLICY
}