Merge branch 'main' into fix-iam-attachments

cloudposse · Oct 12, 2023 · bd24cc2 · bd24cc2
2 parents 9917447 + 18b8620
commit bd24cc2
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 12 deletions.
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -1,13 +1,14 @@
 {
   "extends": [
     "config:base",
-    ":preserveSemverRanges"
+    ":preserveSemverRanges",
+    ":rebaseStalePrs"
   ],
-  "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],
+  "baseBranches": ["main"],
   "labels": ["auto-update"],
   "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
-    "ignorePaths": ["**/context.tf", "examples/**"]
+    "ignorePaths": ["**/context.tf"]
   }
 }
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml
@@ -11,4 +11,4 @@ permissions:
 
 jobs:
   terraform-module:
-    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
+    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main
diff --git a/README.md b/README.md
@@ -90,10 +90,6 @@ We highly recommend that in your code you pin the version to the exact version y
 using so that your infrastructure remains stable, and update versions in a
 systematic way so that they do not catch you by surprise.
 
-Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
-the registry shows many of our inputs as required when in fact they are optional.
-The table below correctly indicates which inputs are required.
-
 
 For a complete example, see [examples/complete](examples/complete).
 For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)

diff --git a/iam-role.tf b/iam-role.tf
@@ -1,9 +1,15 @@
+locals {
+  custom_iam_policy_arns_map = length(var.custom_iam_policy_arns) > 0 ? { for i, arn in var.custom_iam_policy_arns : i => arn } : {}
+}
+
 resource "aws_iam_role" "this" {
   count = local.enabled ? 1 : 0
 
   name                 = "${var.function_name}-${local.region_name}"
-  assume_role_policy   = join("", data.aws_iam_policy_document.assume_role_policy.*.json)
+  assume_role_policy   = join("", data.aws_iam_policy_document.assume_role_policy[*].json)
   permissions_boundary = var.permissions_boundary
+
+  tags = module.this.tags
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
@@ -68,6 +74,8 @@ resource "aws_iam_policy" "ssm" {
   name        = "${var.function_name}-ssm-policy-${local.region_name}"
   description = var.iam_policy_description
   policy      = data.aws_iam_policy_document.ssm[count.index].json
+
+  tags = module.this.tags
 }
 
 resource "aws_iam_role_policy_attachment" "ssm" {
@@ -78,8 +86,8 @@ resource "aws_iam_role_policy_attachment" "ssm" {
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  for_each = local.enabled && length(var.custom_iam_policy_arns) > 0 ? var.custom_iam_policy_arns : toset([])
+  for_each = local.enabled ? local.custom_iam_policy_arns_map : {}
 
   role       = aws_iam_role.this[0].name
-  policy_arn = each.key
+  policy_arn = each.value
 }
diff --git a/main.tf b/main.tf
@@ -39,7 +39,7 @@ resource "aws_lambda_function" "this" {
   s3_key                         = var.s3_key
   s3_object_version              = var.s3_object_version
   source_code_hash               = var.source_code_hash
-  tags                           = var.tags
+  tags                           = module.this.tags
   timeout                        = var.timeout
 
   dynamic "dead_letter_config" {