Cross-Account Access

module "shared_credentials" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "shared/database/credentials"
  secret_string = jsonencode({
    host     = "shared-db.example.com"
    port     = 5432
    username = "shared_user"
    password = var.shared_db_password
  })

  kms_key_id              = module.kms.key_id
  recovery_window_in_days = 30
}

resource "aws_secretsmanager_secret_policy" "cross_account" {
  secret_arn = module.shared_credentials.secret_arn

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowCrossAccountAccess"
        Effect = "Allow"
        Principal = {
          AWS = [
            "arn:aws:iam::111122223333:root",
            "arn:aws:iam::444455556666:role/ApplicationRole"
          ]
        }
        Action = [
          "secretsmanager:GetSecretValue",
          "secretsmanager:DescribeSecret"
        ]
        Resource = "*"
      }
    ]
  })
}