function Get-AlkamiSecretResourcePolicyString {
<#
.SYNOPSIS
    Returns the string for an AWS Secret resource policy that allows access to admins and SysEng (by default).

.PARAMETER ProfileName
    [string] The AWS profile to use during when creating the resource policy.

.PARAMETER SecretAccessExtraArns
    [string[]] An array of AWS ARNs allowed to access the secret in addition to the defaults.

.EXAMPLE
    Get-AlkamiSecretResourcePolicyString -ProfileName 'temp-dev'

{"Version":"2012-10-17","Statement":[{"Action":"secretsmanager:*","Condition":{"ArnNotEquals":{"aws:PrincipalArn":["arn:aws:iam::327695573722:role/CLI-SRE-Admin","arn:aws:iam::327695573722:role/DAG-AWS-Admins","arn:aws:iam::327695573722:root"]}},"Principal":{"AWS":"*"},"Resource":"*","Effect":"Deny","Sid":"DenyAllUnlessExplicitlyAllowed"}]}

.EXAMPLE
    Get-AlkamiSecretResourcePolicyString -ProfileName 'temp-dev' -SecretAccessExtraArns @( 'ExampleArn1', 'ExampleArn2' )

{"Version":"2012-10-17","Statement":[{"Action":"secretsmanager:*","Condition":{"ArnNotEquals":{"aws:PrincipalArn":["arn:aws:iam::327695573722:role/CLI-SRE-Admin","arn:aws:iam::327695573722:role/DAG-AWS-Admins","arn:aws:iam::327695573722:root","ExampleArn1","ExampleArn2"]}},"Principal":{"AWS":"*"},"Resource":"*","Effect":"Deny","Sid":"DenyAllUnlessExplicitlyAllowed"}]}
#>
    [CmdletBinding()]
    [OutputType([string])]
    param(
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $ProfileName,

        [Parameter(Mandatory = $false)]
        [string[]] $SecretAccessExtraArns = $null
    )

    Import-AWSModule

    $accountNumber = (Get-STSCallerIdentity -ProfileName $ProfileName).Account

    $policyObj = @{
        Version   = "2012-10-17"
        Statement = @(
            @{
                Sid       = "DenyAllUnlessExplicitlyAllowed"
                Action    = "secretsmanager:*"
                Effect    = "Deny"
                Resource  = "*"
                Principal = @{
                    AWS = "*"
                }
                Condition = @{
                    ArnNotEquals = @{
                        "aws:PrincipalArn" = @(
                            "arn:aws:iam::${accountNumber}:role/CLI-SRE-Admin",
                            "arn:aws:iam::${accountNumber}:role/DAG-AWS-Admins",
                            "arn:aws:iam::${accountNumber}:root"
                        )
                    }
                }
            }
        )
    }

    # Add any extra ARNs that need access to the secret.
    foreach ( $extraArn in $SecretAccessExtraArns ) {
        if ( $false -eq [string]::IsNullOrWhitespace($extraArn)) {
            $policyObj.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' += $extraArn
        }
    }

    return (ConvertTo-Json -InputObject $policyObj -Compress -Depth 10)
}