Suggested AWS SecretsManager policy allows access to untagged secrets

[techxorcist]

In the Infrastructure>AWS portion of the docs, the recommended IAM policy for the SecretsManager contains the following element:

            "Condition": {
                "ForAllValues:StringEquals": {
                    "secretsmanager:ResourceTag/AirbyteManaged": "true"
                }

This condition allows access to untagged Secrets, which will help the SecretsManager work with an installation where tags for secrets are not specified in values.yaml but also will allow traversal to any untagged secrets in the same storage.

I believe the fix would be to amend the documentation to recommend the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:TagResource",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "secretsmanager:ResourceTag/AirbyteManaged": "true"
                },
                "Null": {
                    "secretsmanager:ResourceTag/AirbyteManaged": false
                }
            }
        }
    ]
}

In addition, it would be user-friendly to suggest the following in the Integrations>Secrets documentation:

global:
  secretsManager:
    type: awsSecretManager
    secretName: "airbyte-config-secrets" # Name of your Kubernetes secret.
    awsSecretManager:
      region: <aws-region>
      authenticationType: credentials ## Use "credentials" or "instanceProfile"
      tags: 
        ## Ensure this tag is applied to secrets if working with the IAM policy suggested by the Infrastructure>AWS documentation
        - key: "AirbyteManaged"
          value: "true"
        ## Optional - You may add additional tags to new secrets created by Airbyte (and you may wish to add these to the conditions in the IAM policy)
        - key: ## e.g. team
          value: ## e.g. deployments
        - key: business-unit
          value: engineering
      kms: ## Optional - ARN for KMS Decryption.