fix: Direct policy attachment of iam-policy-created resources (#428)

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.0
+    rev: v1.83.5
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
@@ -24,7 +24,7 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

modules/iam-user/main.tf

@@ -47,7 +47,7 @@ resource "aws_iam_user_ssh_key" "this" {
 }
 
 resource "aws_iam_user_policy_attachment" "this" {
-  for_each = var.create_user ? toset(var.policy_arns) : []
+  for_each = { for k, v in var.policy_arns : k => v if var.create_user }
 
   user       = aws_iam_user.this[0].name
   policy_arn = each.value

wrappers/iam-account/main.tf

@@ -3,16 +3,16 @@ module "wrapper" {
 
   for_each = var.items
 
-  get_caller_identity            = try(each.value.get_caller_identity, var.defaults.get_caller_identity, true)
   account_alias                  = try(each.value.account_alias, var.defaults.account_alias)
+  allow_users_to_change_password = try(each.value.allow_users_to_change_password, var.defaults.allow_users_to_change_password, true)
   create_account_password_policy = try(each.value.create_account_password_policy, var.defaults.create_account_password_policy, true)
+  get_caller_identity            = try(each.value.get_caller_identity, var.defaults.get_caller_identity, true)
+  hard_expiry                    = try(each.value.hard_expiry, var.defaults.hard_expiry, false)
   max_password_age               = try(each.value.max_password_age, var.defaults.max_password_age, 0)
   minimum_password_length        = try(each.value.minimum_password_length, var.defaults.minimum_password_length, 8)
-  allow_users_to_change_password = try(each.value.allow_users_to_change_password, var.defaults.allow_users_to_change_password, true)
-  hard_expiry                    = try(each.value.hard_expiry, var.defaults.hard_expiry, false)
   password_reuse_prevention      = try(each.value.password_reuse_prevention, var.defaults.password_reuse_prevention, null)
   require_lowercase_characters   = try(each.value.require_lowercase_characters, var.defaults.require_lowercase_characters, true)
-  require_uppercase_characters   = try(each.value.require_uppercase_characters, var.defaults.require_uppercase_characters, true)
   require_numbers                = try(each.value.require_numbers, var.defaults.require_numbers, true)
   require_symbols                = try(each.value.require_symbols, var.defaults.require_symbols, true)
+  require_uppercase_characters   = try(each.value.require_uppercase_characters, var.defaults.require_uppercase_characters, true)
 }

wrappers/iam-assumable-role-with-oidc/main.tf

@@ -3,22 +3,22 @@ module "wrapper" {
 
   for_each = var.items
 
+  allow_self_assume_role         = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  aws_account_id                 = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
   create_role                    = try(each.value.create_role, var.defaults.create_role, false)
+  force_detach_policies          = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  max_session_duration           = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
+  number_of_role_policy_arns     = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
+  oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
+  oidc_fully_qualified_subjects  = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
+  oidc_subjects_with_wildcards   = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
   provider_url                   = try(each.value.provider_url, var.defaults.provider_url, "")
   provider_urls                  = try(each.value.provider_urls, var.defaults.provider_urls, [])
-  aws_account_id                 = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
-  tags                           = try(each.value.tags, var.defaults.tags, {})
+  role_description               = try(each.value.role_description, var.defaults.role_description, "")
   role_name                      = try(each.value.role_name, var.defaults.role_name, null)
   role_name_prefix               = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
-  role_description               = try(each.value.role_description, var.defaults.role_description, "")
   role_path                      = try(each.value.role_path, var.defaults.role_path, "/")
   role_permissions_boundary_arn  = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
-  max_session_duration           = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
   role_policy_arns               = try(each.value.role_policy_arns, var.defaults.role_policy_arns, [])
-  number_of_role_policy_arns     = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
-  oidc_fully_qualified_subjects  = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
-  oidc_subjects_with_wildcards   = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
-  oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
-  force_detach_policies          = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
-  allow_self_assume_role         = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  tags                           = try(each.value.tags, var.defaults.tags, {})
 }

wrappers/iam-assumable-role-with-saml/main.tf

@@ -3,20 +3,20 @@ module "wrapper" {
 
   for_each = var.items
 
+  allow_self_assume_role        = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  aws_saml_endpoint             = try(each.value.aws_saml_endpoint, var.defaults.aws_saml_endpoint, "https://signin.aws.amazon.com/saml")
   create_role                   = try(each.value.create_role, var.defaults.create_role, false)
+  force_detach_policies         = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  max_session_duration          = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
+  number_of_role_policy_arns    = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
   provider_id                   = try(each.value.provider_id, var.defaults.provider_id, "")
   provider_ids                  = try(each.value.provider_ids, var.defaults.provider_ids, [])
-  aws_saml_endpoint             = try(each.value.aws_saml_endpoint, var.defaults.aws_saml_endpoint, "https://signin.aws.amazon.com/saml")
-  tags                          = try(each.value.tags, var.defaults.tags, {})
+  role_description              = try(each.value.role_description, var.defaults.role_description, "")
   role_name                     = try(each.value.role_name, var.defaults.role_name, null)
   role_name_prefix              = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
-  role_description              = try(each.value.role_description, var.defaults.role_description, "")
   role_path                     = try(each.value.role_path, var.defaults.role_path, "/")
   role_permissions_boundary_arn = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
-  max_session_duration          = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
   role_policy_arns              = try(each.value.role_policy_arns, var.defaults.role_policy_arns, [])
-  number_of_role_policy_arns    = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
-  force_detach_policies         = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
-  allow_self_assume_role        = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  tags                          = try(each.value.tags, var.defaults.tags, {})
   trusted_role_actions          = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])
 }

wrappers/iam-assumable-role/main.tf

@@ -3,32 +3,33 @@ module "wrapper" {
 
   for_each = var.items
 
-  trusted_role_actions              = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"])
-  trusted_role_arns                 = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, [])
-  trusted_role_services             = try(each.value.trusted_role_services, var.defaults.trusted_role_services, [])
-  mfa_age                           = try(each.value.mfa_age, var.defaults.mfa_age, 86400)
-  max_session_duration              = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
-  create_role                       = try(each.value.create_role, var.defaults.create_role, false)
+  admin_role_policy_arn             = try(each.value.admin_role_policy_arn, var.defaults.admin_role_policy_arn, "arn:aws:iam::aws:policy/AdministratorAccess")
+  allow_self_assume_role            = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  attach_admin_policy               = try(each.value.attach_admin_policy, var.defaults.attach_admin_policy, false)
+  attach_poweruser_policy           = try(each.value.attach_poweruser_policy, var.defaults.attach_poweruser_policy, false)
+  attach_readonly_policy            = try(each.value.attach_readonly_policy, var.defaults.attach_readonly_policy, false)
+  create_custom_role_trust_policy   = try(each.value.create_custom_role_trust_policy, var.defaults.create_custom_role_trust_policy, false)
   create_instance_profile           = try(each.value.create_instance_profile, var.defaults.create_instance_profile, false)
-  role_name                         = try(each.value.role_name, var.defaults.role_name, null)
-  role_name_prefix                  = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
-  role_path                         = try(each.value.role_path, var.defaults.role_path, "/")
-  role_requires_mfa                 = try(each.value.role_requires_mfa, var.defaults.role_requires_mfa, true)
-  role_permissions_boundary_arn     = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
-  tags                              = try(each.value.tags, var.defaults.tags, {})
+  create_role                       = try(each.value.create_role, var.defaults.create_role, false)
   custom_role_policy_arns           = try(each.value.custom_role_policy_arns, var.defaults.custom_role_policy_arns, [])
   custom_role_trust_policy          = try(each.value.custom_role_trust_policy, var.defaults.custom_role_trust_policy, "")
+  force_detach_policies             = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  max_session_duration              = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
+  mfa_age                           = try(each.value.mfa_age, var.defaults.mfa_age, 86400)
   number_of_custom_role_policy_arns = try(each.value.number_of_custom_role_policy_arns, var.defaults.number_of_custom_role_policy_arns, null)
-  admin_role_policy_arn             = try(each.value.admin_role_policy_arn, var.defaults.admin_role_policy_arn, "arn:aws:iam::aws:policy/AdministratorAccess")
   poweruser_role_policy_arn         = try(each.value.poweruser_role_policy_arn, var.defaults.poweruser_role_policy_arn, "arn:aws:iam::aws:policy/PowerUserAccess")
   readonly_role_policy_arn          = try(each.value.readonly_role_policy_arn, var.defaults.readonly_role_policy_arn, "arn:aws:iam::aws:policy/ReadOnlyAccess")
-  attach_admin_policy               = try(each.value.attach_admin_policy, var.defaults.attach_admin_policy, false)
-  attach_poweruser_policy           = try(each.value.attach_poweruser_policy, var.defaults.attach_poweruser_policy, false)
-  attach_readonly_policy            = try(each.value.attach_readonly_policy, var.defaults.attach_readonly_policy, false)
-  force_detach_policies             = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
   role_description                  = try(each.value.role_description, var.defaults.role_description, "")
-  role_sts_externalid               = try(each.value.role_sts_externalid, var.defaults.role_sts_externalid, [])
-  allow_self_assume_role            = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  role_name                         = try(each.value.role_name, var.defaults.role_name, null)
+  role_name_prefix                  = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
+  role_path                         = try(each.value.role_path, var.defaults.role_path, "/")
+  role_permissions_boundary_arn     = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
+  role_requires_mfa                 = try(each.value.role_requires_mfa, var.defaults.role_requires_mfa, true)
   role_requires_session_name        = try(each.value.role_requires_session_name, var.defaults.role_requires_session_name, false)
   role_session_name                 = try(each.value.role_session_name, var.defaults.role_session_name, ["$${aws:username}"])
+  role_sts_externalid               = try(each.value.role_sts_externalid, var.defaults.role_sts_externalid, [])
+  tags                              = try(each.value.tags, var.defaults.tags, {})
+  trusted_role_actions              = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"])
+  trusted_role_arns                 = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, [])
+  trusted_role_services             = try(each.value.trusted_role_services, var.defaults.trusted_role_services, [])
 }

wrappers/iam-assumable-roles-with-saml/main.tf

@@ -3,29 +3,29 @@ module "wrapper" {
 
   for_each = var.items
 
-  provider_id                             = try(each.value.provider_id, var.defaults.provider_id, "")
-  provider_ids                            = try(each.value.provider_ids, var.defaults.provider_ids, [])
-  aws_saml_endpoint                       = try(each.value.aws_saml_endpoint, var.defaults.aws_saml_endpoint, "https://signin.aws.amazon.com/saml")
-  allow_self_assume_role                  = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
-  trusted_role_actions                    = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])
-  create_admin_role                       = try(each.value.create_admin_role, var.defaults.create_admin_role, false)
   admin_role_name                         = try(each.value.admin_role_name, var.defaults.admin_role_name, "admin")
   admin_role_path                         = try(each.value.admin_role_path, var.defaults.admin_role_path, "/")
-  admin_role_policy_arns                  = try(each.value.admin_role_policy_arns, var.defaults.admin_role_policy_arns, ["arn:aws:iam::aws:policy/AdministratorAccess"])
   admin_role_permissions_boundary_arn     = try(each.value.admin_role_permissions_boundary_arn, var.defaults.admin_role_permissions_boundary_arn, "")
+  admin_role_policy_arns                  = try(each.value.admin_role_policy_arns, var.defaults.admin_role_policy_arns, ["arn:aws:iam::aws:policy/AdministratorAccess"])
   admin_role_tags                         = try(each.value.admin_role_tags, var.defaults.admin_role_tags, {})
+  allow_self_assume_role                  = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  aws_saml_endpoint                       = try(each.value.aws_saml_endpoint, var.defaults.aws_saml_endpoint, "https://signin.aws.amazon.com/saml")
+  create_admin_role                       = try(each.value.create_admin_role, var.defaults.create_admin_role, false)
   create_poweruser_role                   = try(each.value.create_poweruser_role, var.defaults.create_poweruser_role, false)
+  create_readonly_role                    = try(each.value.create_readonly_role, var.defaults.create_readonly_role, false)
+  force_detach_policies                   = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  max_session_duration                    = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
   poweruser_role_name                     = try(each.value.poweruser_role_name, var.defaults.poweruser_role_name, "poweruser")
   poweruser_role_path                     = try(each.value.poweruser_role_path, var.defaults.poweruser_role_path, "/")
-  poweruser_role_policy_arns              = try(each.value.poweruser_role_policy_arns, var.defaults.poweruser_role_policy_arns, ["arn:aws:iam::aws:policy/PowerUserAccess"])
   poweruser_role_permissions_boundary_arn = try(each.value.poweruser_role_permissions_boundary_arn, var.defaults.poweruser_role_permissions_boundary_arn, "")
+  poweruser_role_policy_arns              = try(each.value.poweruser_role_policy_arns, var.defaults.poweruser_role_policy_arns, ["arn:aws:iam::aws:policy/PowerUserAccess"])
   poweruser_role_tags                     = try(each.value.poweruser_role_tags, var.defaults.poweruser_role_tags, {})
-  create_readonly_role                    = try(each.value.create_readonly_role, var.defaults.create_readonly_role, false)
+  provider_id                             = try(each.value.provider_id, var.defaults.provider_id, "")
+  provider_ids                            = try(each.value.provider_ids, var.defaults.provider_ids, [])
   readonly_role_name                      = try(each.value.readonly_role_name, var.defaults.readonly_role_name, "readonly")
   readonly_role_path                      = try(each.value.readonly_role_path, var.defaults.readonly_role_path, "/")
-  readonly_role_policy_arns               = try(each.value.readonly_role_policy_arns, var.defaults.readonly_role_policy_arns, ["arn:aws:iam::aws:policy/ReadOnlyAccess"])
   readonly_role_permissions_boundary_arn  = try(each.value.readonly_role_permissions_boundary_arn, var.defaults.readonly_role_permissions_boundary_arn, "")
+  readonly_role_policy_arns               = try(each.value.readonly_role_policy_arns, var.defaults.readonly_role_policy_arns, ["arn:aws:iam::aws:policy/ReadOnlyAccess"])
   readonly_role_tags                      = try(each.value.readonly_role_tags, var.defaults.readonly_role_tags, {})
-  max_session_duration                    = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
-  force_detach_policies                   = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  trusted_role_actions                    = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])
 }