From 146291dcd9646576b5a1e5a17231a01d3291d07e Mon Sep 17 00:00:00 2001
From: Simon Kok <mail@simonkok.com>
Date: Fri, 21 Jul 2023 10:25:26 +0200
Subject: [PATCH] Fix GitHub Pipeline secret token usage

**Why?**

No access was provided to pipelines that rely on GitHub repositories as their
source, using the GitHub Oauth token stored in the `/adf/github_token`
secret in Secrets Manager.

This issue was introduced with the refactoring to the separate pipeline
management stack in ADF v3.2.0.

**What?**

Added access rights for the pipeline creation stack to fetch the GitHub Oauth
secret.
---
 .../adf-bootstrap/deployment/pipeline_management.yml         | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
index 03190dbb3..af8c515c5 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml
@@ -891,6 +891,11 @@ Resources:
                   - "iam:TagPolicy"
                   - "iam:TagRole"
                 Resource: "*"
+              - Effect: Allow
+                Action:
+                  - "secretsmanager:GetSecretValue"
+                Resource:
+                  - !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/github_token-*"
 
   DeploymentMapProcessingFunction:
     Type: 'AWS::Serverless::Function'