fixes: Changing task_exec_policy_arns or task_policy_arns cause recreations #167 (#178)

Benbentwo · cloudpossebot · web-flow · commit 14008fc2491e · 2022-12-01T15:20:19.000-08:00
* fix: role uses count

* update other policies

* solves policy updates and fixes outputs

* cleanup

* cleanup

* Auto Format

Co-authored-by: cloudpossebot &lt;11232728+cloudpossebot@users.noreply.github.com&gt;
diff --git a/main.tf b/main.tf
@@ -159,8 +159,8 @@ resource "aws_iam_role" "ecs_task" {
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task" {
-  count      = local.create_task_role ? length(var.task_policy_arns) : 0
-  policy_arn = var.task_policy_arns[count.index]
+  for_each   = local.create_task_role ? toset(var.task_policy_arns) : toset([])
+  policy_arn = each.value
   role       = join("", aws_iam_role.ecs_task.*.id)
 }
 
@@ -279,15 +279,15 @@ data "aws_iam_policy_document" "ecs_exec" {
 }
 
 resource "aws_iam_role_policy" "ecs_exec" {
-  count  = local.create_exec_role ? 1 : 0
-  name   = module.exec_label.id
-  policy = join("", data.aws_iam_policy_document.ecs_exec.*.json)
-  role   = join("", aws_iam_role.ecs_exec.*.id)
+  for_each = local.create_exec_role ? toset(["true"]) : toset([])
+  name     = module.exec_label.id
+  policy   = join("", data.aws_iam_policy_document.ecs_exec.*.json)
+  role     = join("", aws_iam_role.ecs_exec.*.id)
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_exec" {
-  count      = local.create_exec_role ? length(var.task_exec_policy_arns) : 0
-  policy_arn = var.task_exec_policy_arns[count.index]
+  for_each   = local.create_exec_role ? toset(var.task_exec_policy_arns) : toset([])
+  policy_arn = each.value
   role       = join("", aws_iam_role.ecs_exec.*.id)
 }
 
diff --git a/outputs.tf b/outputs.tf
@@ -1,11 +1,15 @@
 output "ecs_exec_role_policy_id" {
   description = "The ECS service role policy ID, in the form of `role_name:role_policy_name`"
-  value       = join("", aws_iam_role_policy.ecs_exec.*.id)
+  value = join("", [
+    for k, v in aws_iam_role_policy.ecs_exec : v.id
+  ])
 }
 
 output "ecs_exec_role_policy_name" {
   description = "ECS service role name"
-  value       = join("", aws_iam_role_policy.ecs_exec.*.name)
+  value = join("", [
+    for k, v in aws_iam_role_policy.ecs_exec : v.name
+  ])
 }
 
 output "service_name" {

Original file line number	Diff line number	Diff line change
`@@ -159,8 +159,8 @@ resource "aws_iam_role" "ecs_task" {`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`resource "aws_iam_role_policy_attachment" "ecs_task" {`
`162`		`- count = local.create_task_role ? length(var.task_policy_arns) : 0`
`163`		`- policy_arn = var.task_policy_arns[count.index]`
	`162`	`+ for_each = local.create_task_role ? toset(var.task_policy_arns) : toset([])`
	`163`	`+ policy_arn = each.value`
`164`	`164`	`role = join("", aws_iam_role.ecs_task.*.id)`
`165`	`165`	`}`
`166`	`166`
`@@ -279,15 +279,15 @@ data "aws_iam_policy_document" "ecs_exec" {`
`279`	`279`	`}`
`280`	`280`
`281`	`281`	`resource "aws_iam_role_policy" "ecs_exec" {`
`282`		`- count = local.create_exec_role ? 1 : 0`
`283`		`- name = module.exec_label.id`
`284`		`- policy = join("", data.aws_iam_policy_document.ecs_exec.*.json)`
`285`		`- role = join("", aws_iam_role.ecs_exec.*.id)`
	`282`	`+ for_each = local.create_exec_role ? toset(["true"]) : toset([])`
	`283`	`+ name = module.exec_label.id`
	`284`	`+ policy = join("", data.aws_iam_policy_document.ecs_exec.*.json)`
	`285`	`+ role = join("", aws_iam_role.ecs_exec.*.id)`
`286`	`286`	`}`
`287`	`287`
`288`	`288`	`resource "aws_iam_role_policy_attachment" "ecs_exec" {`
`289`		`- count = local.create_exec_role ? length(var.task_exec_policy_arns) : 0`
`290`		`- policy_arn = var.task_exec_policy_arns[count.index]`
	`289`	`+ for_each = local.create_exec_role ? toset(var.task_exec_policy_arns) : toset([])`
	`290`	`+ policy_arn = each.value`
`291`	`291`	`role = join("", aws_iam_role.ecs_exec.*.id)`
`292`	`292`	`}`
`293`	`293`