Optionally include the team in the secret ARN

We'd like to namespace secrets under the team to better allow us to
restrict access to them whilst staying within IAM policy size limits.

main.tf

@@ -1,17 +1,22 @@
-resource "aws_iam_policy" "secrets_policy" {                                    
-    name        = "${var.environment}-${var.component}-secrets"      
-    description = "Secrets access"                                              
-    policy      = "${data.aws_iam_policy_document.secrets_access.json}"         
+resource "aws_iam_policy" "secrets_policy" {
+  name        = "${var.environment}-${var.component}-secrets"
+  description = "Secrets access"
+  policy      = "${data.aws_iam_policy_document.secrets_access.json}"
 }
 
-data "aws_iam_policy_document" "secrets_access" {                               
-  statement {                                                                   
-    actions = [                                                                 
-      "secretsmanager:GetSecretValue",                                          
-    ]                                                                           
-
-    resources = [                                                               
-      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${var.component}/${var.environment}/*",
-    ]                                                                           
-  }                                                                             
+locals {
+  arn_base         = "arn:aws:secretsmanager:${data.aws_region.current.name}"
+  secret_namespace = "${var.team == "" ? "" : "${var.team}/"}${var.component}/${var.environment}/*"
+}
+
+data "aws_iam_policy_document" "secrets_access" {
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    resources = [
+      "${local.arn_base}:${data.aws_caller_identity.current.account_id}:secret:${local.secret_namespace}",
+    ]
+  }
 }

tf_test.go

@@ -172,3 +172,35 @@ func TestPolicy(t *testing.T) {
         t.Errorf("Expected %s, got %s", expectedPolicy, policy.New)
     }
 }
+
+func TestPolicyIncludingTeam(t *testing.T) {
+    args := []string{
+        "-var", "component=mycomponent",
+        "-var", "environment=test",
+        "-var", "team=someteam",
+    }
+	plan := Setup(args...)
+
+	plan.AssertResource(t, "aws_iam_policy.secrets_policy")
+    plan.AssertResourceAttribute(
+        t, "aws_iam_policy.secrets_policy", "name",
+        "test-mycomponent-secrets",
+    )
+    expectedPolicy := `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Action": "secretsmanager:GetSecretValue",
+      "Resource": "arn:aws:secretsmanager:eu-west-1:123456789012:secret:someteam/mycomponent/test/*"
+    }
+  ]
+}`
+    policyResource, _ := plan.FindResource("aws_iam_policy.secrets_policy")
+    policy, _ := plan.FindResourceAttribute(policyResource, "policy")
+
+    if policy.New != expectedPolicy {
+        t.Errorf("Expected %s, got %s", expectedPolicy, policy.New)
+    }
+}

variable.tf

@@ -8,6 +8,12 @@ variable "environment" {
   description = "The environment which these secrets are for"
 }
 
+variable "team" {
+  type        = "string"
+  description = "The team who owns this secret"
+  default     = ""
+}
+
 data "aws_caller_identity" "current" {}
 
 data "aws_region" "current" {}