Address issues identified by pre-commit.

examples/iam-role-for-service-accounts-eks/README.md

@@ -48,6 +48,7 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_fsx_lustre_csi_irsa_role"></a> [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_iam_eks_role"></a> [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a |
+| <a name="module_irsa_assumable_role_with_external_principals"></a> [irsa\_assumable\_role\_with\_external\_principals](#module\_irsa\_assumable\_role\_with\_external\_principals) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_karpenter_controller_irsa_role"></a> [karpenter\_controller\_irsa\_role](#module\_karpenter\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |

examples/iam-role-for-service-accounts-eks/main.tf

@@ -57,9 +57,9 @@ module "irsa_role" {
 module "irsa_assumable_role_with_external_principals" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name              = local.name
-  allow_self_assume_role = true
-  additional_assumable_principal_arns = [ module.irsa_role.iam_role_arn ]
+  role_name                           = local.name
+  allow_self_assume_role              = true
+  additional_assumable_principal_arns = [module.irsa_role.iam_role_arn]
 
   oidc_providers = {
     first = {
@@ -69,7 +69,7 @@ module "irsa_assumable_role_with_external_principals" {
   }
 
   role_policy_arns = {
-    additional           = aws_iam_policy.additional.arn
+    additional = aws_iam_policy.additional.arn
   }
 
   tags = local.tags

modules/iam-role-for-service-accounts-eks/README.md

@@ -188,8 +188,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_additional_assumable_principal_arns"></a> [additional\_assumable\_principal\_arns](#input\_additional\_assumable\_principal\_arns) | A list of additional trusted AWS Principals (IAM roles and users) allowed to assume this role, applied only if `allow_self_assume_role` is true. | `list(string)` | `[]` | no |
 | <a name="input_allow_self_assume_role"></a> [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
-| <a name="input_additional_assumable_principal_arns"></a> [additional\_assumable\_principal\_arns](#input\_additional\_assumable\_principal\_arns) | A list of additional trusted AWS Principals (IAM roles and users) allowed to assume this role, applied only if [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) is true. | `list(string)` | `[]` | no |
 | <a name="input_amazon_managed_service_prometheus_workspace_arns"></a> [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
 | <a name="input_attach_amazon_managed_service_prometheus_policy"></a> [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no |

modules/iam-role-for-service-accounts-eks/main.tf

@@ -30,7 +30,7 @@ data "aws_iam_policy_document" "this" {
       condition {
         test     = "ArnLike"
         variable = "aws:PrincipalArn"
-        values   = concat(
+        values = concat(
           ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"],
           var.additional_assumable_principal_arns
         )

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -84,8 +84,8 @@ variable "allow_self_assume_role" {
 
 variable "additional_assumable_principal_arns" {
   description = "A list of additional trusted AWS Principals (IAM roles and users) allowed to assume this role, applied only if `allow_self_assume_role` is true."
-  type = list(string)
-  default = []
+  type        = list(string)
+  default     = []
 }
 
 ################################################################################

wrappers/iam-role-for-service-accounts-eks/main.tf

@@ -3,6 +3,7 @@ module "wrapper" {
 
   for_each = var.items
 
+  additional_assumable_principal_arns                             = try(each.value.additional_assumable_principal_arns, var.defaults.additional_assumable_principal_arns, [])
   allow_self_assume_role                                          = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
   amazon_managed_service_prometheus_workspace_arns                = try(each.value.amazon_managed_service_prometheus_workspace_arns, var.defaults.amazon_managed_service_prometheus_workspace_arns, ["*"])
   assume_role_condition_test                                      = try(each.value.assume_role_condition_test, var.defaults.assume_role_condition_test, "StringEquals")