---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
  name: external-secrets-role
  labels:
    type: external-secrets-role
spec:
  forProvider:
    assumeRolePolicyDocument: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
              "StringEquals": {
                "${OIDC_PROVIDER}:aud": "sts.amazonaws.com",
                "${OIDC_PROVIDER}:sub": "system:serviceaccount:sealed-secrets:aws-secrets-manager"
              }
            }
          }
        ]
      }
  providerConfigRef:
    name: default
---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Policy
metadata:
  name: external-secrets-policy
spec:
  forProvider:
    name: external-secrets-policy
    document: |
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "secretsmanager:GetResourcePolicy",
                        "secretsmanager:GetSecretValue",
                        "secretsmanager:DescribeSecret",
                        "secretsmanager:ListSecretVersionIds"
                    ],
                    "Resource": [
                        "arn:aws:secretsmanager:${AWS_REGION}:${ACCOUNT_ID}:secret:sealed-secrets*"
                    ]
                }
            ]
        }
  providerConfigRef:
    name: default
---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: RolePolicyAttachment
metadata:
  name: external-secrets-attachment
spec:
  forProvider:
    policyArnRef:
      name: external-secrets-policy
    roleNameRef:
      name: external-secrets-role
  providerConfigRef:
    name: default