From a0200aa6430edc3a638de86f2ca19347c4fce1f6 Mon Sep 17 00:00:00 2001
From: Frederik Ring <frederik.ring@gmail.com>
Date: Fri, 19 Jul 2019 22:00:55 +0200
Subject: [PATCH] properly scope secrets access

---
 accounts/serverless.yml | 3 ++-
 package.json            | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/accounts/serverless.yml b/accounts/serverless.yml
index c277594..017bc31 100644
--- a/accounts/serverless.yml
+++ b/accounts/serverless.yml
@@ -15,7 +15,7 @@ provider:
     - Effect: 'Allow'
       Action:
         - secretsmanager:GetSecretValue
-      Resource: '*'
+      Resource: arn:aws:secretsmanager:eu-central-1:#{AWS::AccountId}:secret:${self:custom.stage}/*
 
 package:
   individually: true
@@ -26,6 +26,7 @@ plugins:
   - serverless-domain-manager
   - serverless-python-requirements
   - serverless-wsgi
+  - serverless-pseudo-parameters
 
 custom:
   stage: ${opt:stage, self:provider.stage}
diff --git a/package.json b/package.json
index 90834c3..c0b426f 100644
--- a/package.json
+++ b/package.json
@@ -17,9 +17,9 @@
     "serverless-apigw-binary": "^0.4.4",
     "serverless-domain-manager": "^2.6.13",
     "serverless-finch": "^2.4.2",
+    "serverless-pseudo-parameters": "^2.4.0",
     "serverless-python-requirements": "^4.3.0",
     "serverless-wsgi": "^1.7.2"
   },
-  "devDependencies": {
-  }
+  "devDependencies": {}
 }