herman-wong-cf
commented
2 months ago With feedback from Hunter, adjusted the count instead to appropriately respond to the boolean variable "add_SSMManagedInstanceCore". Count is kept, but will only have a result of 1 or 0 instead of "length(var.iam_policies)" which could result in multiple attachments.
Describe the bug The "count" meta argument of the iam.tf => resource "aws_iam_role_policy_attachment" "ssm_role_policy_attach" is completely unnecessary. That is an artifact of the original module from FastRAMP that this code repository is copied from.
Additional context The original code is meant to attach the minimum necessary permissions to successfully use SSM Session Manager to obtain shell access on any EC2 (mostly Linux) instance without exposing SSH port 22 (useful to skip bastion hosts entirely). Since this policy should always be attached, having a "count" is completely pointless. Having the "count" be based on the number of IAM policies to attach causes issues by creating multiple attachments (which is unnecessary).
"Count" should be removed entirely on the resource.