v2.1.2: change to use for_each for attaching policies

CHANGES.md

@@ -10,3 +10,6 @@
 
 * v2.1.1 -- 20210614
   - add terraform tags
+
+* v2.1.2 -- 20210614
+  - change to attach policies via for_each

README.md

@@ -46,9 +46,7 @@ No modules.
 | [aws_iam_access_key.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_group.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
 | [aws_iam_group_membership.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
-| [aws_iam_group_policy_attachment.additional_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_group_policy_attachment.audit-0](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_group_policy_attachment.audit-1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
 | [aws_iam_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [null_resource.audit_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |

main.tf

@@ -53,6 +53,8 @@ locals {
   )
   aws_access_key_id     = concat(aws_iam_access_key.audit[*].id, list(""))
   aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret, list(""))
+
+  policies = compact(concat([aws_iam_policy.audit.arn, data.aws_iam_policy.aws-managed-security-audit.arn], var.additional_policies))
 }
 
 #---
@@ -127,24 +129,8 @@ data "aws_iam_policy" "aws-managed-security-audit" {
   arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit"
 }
 
-#resource "aws_iam_group_policy_attachment" "audit" {
-#  count      = "${length(local.security-audit-policies)}"
-#  group      = "${aws_iam_group.audit.name}"
-#  policy_arn = "${element(local.security-audit-policies,count.index)}"
-#}
-
-resource "aws_iam_group_policy_attachment" "audit-0" {
-  group      = aws_iam_group.audit.name
-  policy_arn = aws_iam_policy.audit.arn
-}
-
-resource "aws_iam_group_policy_attachment" "audit-1" {
-  group      = aws_iam_group.audit.name
-  policy_arn = data.aws_iam_policy.aws-managed-security-audit.arn
-}
-
-resource "aws_iam_group_policy_attachment" "additional_policies" {
-  for_each   = toset(var.additional_policies)
+resource "aws_iam_group_policy_attachment" "audit" {
+  for_each   = toset(local.policies)
   group      = aws_iam_group.audit.name
   policy_arn = each.key
 }
@@ -161,9 +147,7 @@ resource "aws_iam_access_key" "audit" {
 resource "null_resource" "audit_output" {
   count = length(var.users)
   triggers = {
-    user = element(aws_iam_user.audit[*].name, count.index)
-    #    aws_access_key_id = element(aws_iam_access_key.audit[*].id,count.index)
-    #    aws_secret_access_key = element(aws_iam_access_key.audit[*].encrypted_secret,count.index)
+    user                  = element(aws_iam_user.audit[*].name, count.index)
     aws_access_key_id     = element(local.aws_access_key_id, count.index)
     aws_secret_access_key = element(local.aws_secret_access_key, count.index)
   }

version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.1.1"
+  _module_version = "2.1.2"
 }