From 0f97cb4f81c76cbb19b7419e5f5bdf8a56b3412e Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 14 Jun 2021 16:59:02 -0400
Subject: [PATCH] v2.1.2: change to use for_each for attaching policies

---
 CHANGES.md |  3 +++
 README.md  |  4 +---
 main.tf    | 26 +++++---------------------
 version.tf |  2 +-
 4 files changed, 10 insertions(+), 25 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 744f945..844d879 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -10,3 +10,6 @@
 
 * v2.1.1 -- 20210614
   - add terraform tags
+
+* v2.1.2 -- 20210614
+  - change to attach policies via for_each
diff --git a/README.md b/README.md
index 691a095..8a5df98 100644
--- a/README.md
+++ b/README.md
@@ -46,9 +46,7 @@ No modules.
 | [aws_iam_access_key.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_group.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
 | [aws_iam_group_membership.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
-| [aws_iam_group_policy_attachment.additional_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_group_policy_attachment.audit-0](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_group_policy_attachment.audit-1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
 | [aws_iam_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [null_resource.audit_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
diff --git a/main.tf b/main.tf
index 0baee5a..1eae09d 100644
--- a/main.tf
+++ b/main.tf
@@ -53,6 +53,8 @@ locals {
   )
   aws_access_key_id     = concat(aws_iam_access_key.audit[*].id, list(""))
   aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret, list(""))
+
+  policies = compact(concat([aws_iam_policy.audit.arn, data.aws_iam_policy.aws-managed-security-audit.arn], var.additional_policies))
 }
 
 #---
@@ -127,24 +129,8 @@ data "aws_iam_policy" "aws-managed-security-audit" {
   arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit"
 }
 
-#resource "aws_iam_group_policy_attachment" "audit" {
-#  count      = "${length(local.security-audit-policies)}"
-#  group      = "${aws_iam_group.audit.name}"
-#  policy_arn = "${element(local.security-audit-policies,count.index)}"
-#}
-
-resource "aws_iam_group_policy_attachment" "audit-0" {
-  group      = aws_iam_group.audit.name
-  policy_arn = aws_iam_policy.audit.arn
-}
-
-resource "aws_iam_group_policy_attachment" "audit-1" {
-  group      = aws_iam_group.audit.name
-  policy_arn = data.aws_iam_policy.aws-managed-security-audit.arn
-}
-
-resource "aws_iam_group_policy_attachment" "additional_policies" {
-  for_each   = toset(var.additional_policies)
+resource "aws_iam_group_policy_attachment" "audit" {
+  for_each   = toset(local.policies)
   group      = aws_iam_group.audit.name
   policy_arn = each.key
 }
@@ -161,9 +147,7 @@ resource "aws_iam_access_key" "audit" {
 resource "null_resource" "audit_output" {
   count = length(var.users)
   triggers = {
-    user = element(aws_iam_user.audit[*].name, count.index)
-    #    aws_access_key_id = element(aws_iam_access_key.audit[*].id,count.index)
-    #    aws_secret_access_key = element(aws_iam_access_key.audit[*].encrypted_secret,count.index)
+    user                  = element(aws_iam_user.audit[*].name, count.index)
     aws_access_key_id     = element(local.aws_access_key_id, count.index)
     aws_secret_access_key = element(local.aws_secret_access_key, count.index)
   }
diff --git a/version.tf b/version.tf
index 2c6176e..4955ed1 100644
--- a/version.tf
+++ b/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.1.1"
+  _module_version = "2.1.2"
 }