From 1a3266b2fe2a2d4d0fe2733369b3d817814417f9 Mon Sep 17 00:00:00 2001
From: KY <infcurious@gmail.com>
Date: Mon, 8 Oct 2018 23:28:17 +0800
Subject: [PATCH 1/2] Support for policy in secrets manager datasource

---
 aws/data_source_aws_secretsmanager_secret.go  | 23 +++++++++
 ...a_source_aws_secretsmanager_secret_test.go | 50 +++++++++++++++++++
 .../d/secretsmanager_secret.html.markdown     |  1 +
 3 files changed, 74 insertions(+)

diff --git a/aws/data_source_aws_secretsmanager_secret.go b/aws/data_source_aws_secretsmanager_secret.go
index b076b8d1cfd..feadc69b75b 100644
--- a/aws/data_source_aws_secretsmanager_secret.go
+++ b/aws/data_source_aws_secretsmanager_secret.go
@@ -8,6 +8,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/structure"
 )
 
 func dataSourceAwsSecretsManagerSecret() *schema.Resource {
@@ -34,6 +35,11 @@ func dataSourceAwsSecretsManagerSecret() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"policy": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"rotation_enabled": {
 				Type:     schema.TypeBool,
 				Computed: true,
@@ -104,6 +110,23 @@ func dataSourceAwsSecretsManagerSecretRead(d *schema.ResourceData, meta interfac
 	d.Set("rotation_enabled", output.RotationEnabled)
 	d.Set("rotation_lambda_arn", output.RotationLambdaARN)
 
+	pIn := &secretsmanager.GetResourcePolicyInput{
+		SecretId: aws.String(d.Id()),
+	}
+	log.Printf("[DEBUG] Reading Secrets Manager Secret policy: %s", pIn)
+	pOut, err := conn.GetResourcePolicy(pIn)
+	if err != nil {
+		return fmt.Errorf("error reading Secrets Manager Secret policy: %s", err)
+	}
+
+	if pOut.ResourcePolicy != nil {
+		policy, err := structure.NormalizeJsonString(aws.StringValue(pOut.ResourcePolicy))
+		if err != nil {
+			return fmt.Errorf("policy contains an invalid JSON: %s", err)
+		}
+		d.Set("policy", policy)
+	}
+
 	if err := d.Set("rotation_rules", flattenSecretsManagerRotationRules(output.RotationRules)); err != nil {
 		return fmt.Errorf("error setting rotation_rules: %s", err)
 	}
diff --git a/aws/data_source_aws_secretsmanager_secret_test.go b/aws/data_source_aws_secretsmanager_secret_test.go
index 7a0b24a5647..24e9c7f7da0 100644
--- a/aws/data_source_aws_secretsmanager_secret_test.go
+++ b/aws/data_source_aws_secretsmanager_secret_test.go
@@ -69,6 +69,25 @@ func TestAccDataSourceAwsSecretsManagerSecret_Name(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceAwsSecretsManagerSecret_Policy(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_secretsmanager_secret.test"
+	datasourceName := "data.aws_secretsmanager_secret.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceAwsSecretsManagerSecretConfig_Policy(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccDataSourceAwsSecretsManagerSecretCheck(datasourceName, resourceName),
+				),
+			},
+		},
+	})
+}
+
 func testAccDataSourceAwsSecretsManagerSecretCheck(datasourceName, resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		resource, ok := s.RootModule().Resources[datasourceName]
@@ -86,6 +105,7 @@ func testAccDataSourceAwsSecretsManagerSecretCheck(datasourceName, resourceName
 			"description",
 			"kms_key_id",
 			"name",
+			"policy",
 			"rotation_enabled",
 			"rotation_lambda_arn",
 			"rotation_rules.#",
@@ -148,6 +168,36 @@ data "aws_secretsmanager_secret" "test" {
 `, rName)
 }
 
+func testAccDataSourceAwsSecretsManagerSecretConfig_Policy(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_secretsmanager_secret" "test" {
+  name = "%[1]s"
+
+	policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+	{
+	  "Sid": "EnableAllPermissions",
+	  "Effect": "Allow",
+	  "Principal": {
+		"AWS": "*"
+	  },
+	  "Action": "secretsmanager:GetSecretValue",
+	  "Resource": "*"
+	}
+  ]
+}
+POLICY
+}
+
+data "aws_secretsmanager_secret" "test" {
+  name = "${aws_secretsmanager_secret.test.name}"
+	policy = "${aws_secretsmanager_secret.test.policy}"
+}
+`, rName)
+}
+
 const testAccDataSourceAwsSecretsManagerSecretConfig_NonExistent = `
 data "aws_secretsmanager_secret" "test" {
   name = "tf-acc-test-does-not-exist"
diff --git a/website/docs/d/secretsmanager_secret.html.markdown b/website/docs/d/secretsmanager_secret.html.markdown
index ec8e23a3b57..115024f96a5 100644
--- a/website/docs/d/secretsmanager_secret.html.markdown
+++ b/website/docs/d/secretsmanager_secret.html.markdown
@@ -43,3 +43,4 @@ data "aws_secretsmanager_secret" "by-name" {
 * `rotation_lambda_arn` - Rotation Lambda function Amazon Resource Name (ARN) if rotation is enabled.
 * `rotation_rules` - Rotation rules if rotation is enabled.
 * `tags` - Tags of the secret.
+* `policy` - The resource-based policy document that's attached to the secret.

From fb5a2bda432ee205e98632f9ae167d5148962c5e Mon Sep 17 00:00:00 2001
From: KY <infcurious@gmail.com>
Date: Tue, 9 Oct 2018 08:51:33 +0800
Subject: [PATCH 2/2] Changes based upon review

---
 aws/data_source_aws_secretsmanager_secret.go      | 4 ++--
 aws/data_source_aws_secretsmanager_secret_test.go | 5 ++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/aws/data_source_aws_secretsmanager_secret.go b/aws/data_source_aws_secretsmanager_secret.go
index feadc69b75b..1cba15188c3 100644
--- a/aws/data_source_aws_secretsmanager_secret.go
+++ b/aws/data_source_aws_secretsmanager_secret.go
@@ -37,7 +37,6 @@ func dataSourceAwsSecretsManagerSecret() *schema.Resource {
 			},
 			"policy": {
 				Type:     schema.TypeString,
-				Optional: true,
 				Computed: true,
 			},
 			"rotation_enabled": {
@@ -109,6 +108,7 @@ func dataSourceAwsSecretsManagerSecretRead(d *schema.ResourceData, meta interfac
 	d.Set("name", output.Name)
 	d.Set("rotation_enabled", output.RotationEnabled)
 	d.Set("rotation_lambda_arn", output.RotationLambdaARN)
+	d.Set("policy", "")
 
 	pIn := &secretsmanager.GetResourcePolicyInput{
 		SecretId: aws.String(d.Id()),
@@ -119,7 +119,7 @@ func dataSourceAwsSecretsManagerSecretRead(d *schema.ResourceData, meta interfac
 		return fmt.Errorf("error reading Secrets Manager Secret policy: %s", err)
 	}
 
-	if pOut.ResourcePolicy != nil {
+	if pOut != nil && pOut.ResourcePolicy != nil {
 		policy, err := structure.NormalizeJsonString(aws.StringValue(pOut.ResourcePolicy))
 		if err != nil {
 			return fmt.Errorf("policy contains an invalid JSON: %s", err)
diff --git a/aws/data_source_aws_secretsmanager_secret_test.go b/aws/data_source_aws_secretsmanager_secret_test.go
index 24e9c7f7da0..55accf3ce2f 100644
--- a/aws/data_source_aws_secretsmanager_secret_test.go
+++ b/aws/data_source_aws_secretsmanager_secret_test.go
@@ -171,7 +171,7 @@ data "aws_secretsmanager_secret" "test" {
 func testAccDataSourceAwsSecretsManagerSecretConfig_Policy(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_secretsmanager_secret" "test" {
-  name = "%[1]s"
+  name   = "%[1]s"
 
 	policy = <<POLICY
 {
@@ -192,8 +192,7 @@ POLICY
 }
 
 data "aws_secretsmanager_secret" "test" {
-  name = "${aws_secretsmanager_secret.test.name}"
-	policy = "${aws_secretsmanager_secret.test.policy}"
+  name   = "${aws_secretsmanager_secret.test.name}"
 }
 `, rName)
 }