From b9eced96349731274d7511b8d7fea9ba385d6455 Mon Sep 17 00:00:00 2001
From: Himanshu Rai <hrai@newrelic.com>
Date: Mon, 25 Nov 2024 17:15:56 +0530
Subject: [PATCH] code based on review comment

---
 firehose-template.yaml | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/firehose-template.yaml b/firehose-template.yaml
index c86683a..fb1424f 100644
--- a/firehose-template.yaml
+++ b/firehose-template.yaml
@@ -157,14 +157,17 @@ Resources:
                 Action:
                   - logs:PutLogEvents
                 Resource: 'arn:aws:logs:*:*:*'
-        - PolicyName: Firehose-SecretsManagerAccess
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
-              - Effect: Allow
-                Action:
-                  - 'secretsmanager:GetSecretValue'
-                Resource: !If [ShouldCreateSecret, !Ref NewRelicLogsLicenseKeySecret, ['*'] ]
+        - !If
+          - ShouldCreateSecret
+          - PolicyName: Firehose-SecretsManagerAccess
+            PolicyDocument:
+              Version: 2012-10-17
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - 'secretsmanager:GetSecretValue'
+                  Resource: !Ref NewRelicLogsLicenseKeySecret
+          - !Ref "AWS::NoValue"
       Description: Role to allow firehose stream to access resources including putting events into S3 backup bucket
       RoleName: !Join ['-', ['NewRelicLogsFirehoseRole', !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId' ]]]]]]