Switched from using a map to an array - this is simpler and in keeping with the way the resource should be defined.

Author: dtappert

README.md

@@ -287,7 +287,7 @@ No modules.
 | <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | Permission Sets that you wish to create in IAM Identity Center. This variable is a map of maps containing Permission Set names as keys. See permission\_sets description in README for information about map values. | `any` | `{}` | no |
 | <a name="input_sso_applications"></a> [sso\_applications](#input\_sso\_applications) | List of applications to be created in IAM Identity Center | <pre>map(object({<br>    name                     = string<br>    application_provider_arn = string<br>    description              = optional(string)<br>    portal_options = optional(object({<br>      sign_in_options = optional(object({<br>        application_url = optional(string)<br>        origin          = string<br>      }))<br>      visibility = optional(string)<br>    }))<br>    status              = string # acceptable values are "ENABLED" or "DISABLED"<br>    client_token        = optional(string)<br>    tags                = optional(map(string))<br>    assignment_required = bool # Resource: aws_ssoadmin_application_assignment_configuration<br>    assignments_access_scope = optional(<br>      list(object({<br>        authorized_targets = optional(list(string)) # List of application names<br>        scope              = string<br>      }))<br>    )                                          # Resource: aws_ssoadmin_application_access_scope<br>    group_assignments = optional(list(string)) # Resource aws_ssoadmin_application_assignment, keeping it separated for groups<br>    user_assignments  = optional(list(string)) # Resource aws_ssoadmin_application_assignment, keeping it separated for users<br>  }))</pre> | `{}` | no |
 | <a name="input_sso_groups"></a> [sso\_groups](#input\_sso\_groups) | Names of the groups you wish to create in IAM Identity Center. | <pre>map(object({<br>    group_name        = string<br>    group_description = optional(string, null)<br>  }))</pre> | `{}` | no |
-| <a name="input_sso_instance_access_control_attributes"></a> [sso\_instance\_access\_control\_attributes](#input\_sso\_instance\_access\_control\_attributes) | List of attributes for access control. This is used to create the enable and use attributes for access control. | <pre>map(object({<br>    attribute_name = string<br>    source = set(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_sso_instance_access_control_attributes"></a> [sso\_instance\_access\_control\_attributes](#input\_sso\_instance\_access\_control\_attributes) | List of attributes for access control. This is used to create the enable and use attributes for access control. | <pre>list(object({<br>    attribute_name = string<br>    source = set(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_sso_users"></a> [sso\_users](#input\_sso\_users) | Names of the users you wish to create in IAM Identity Center. | <pre>map(object({<br>    display_name     = optional(string)<br>    user_name        = string<br>    group_membership = list(string)<br>    # Name<br>    given_name       = string<br>    middle_name      = optional(string, null)<br>    family_name      = string<br>    name_formatted   = optional(string)<br>    honorific_prefix = optional(string, null)<br>    honorific_suffix = optional(string, null)<br>    # Email<br>    email            = string<br>    email_type       = optional(string, null)<br>    is_primary_email = optional(bool, true)<br>    # Phone Number<br>    phone_number            = optional(string, null)<br>    phone_number_type       = optional(string, null)<br>    is_primary_phone_number = optional(bool, true)<br>    # Address<br>    country            = optional(string, " ")<br>    locality           = optional(string, " ")<br>    address_formatted  = optional(string)<br>    postal_code        = optional(string, " ")<br>    is_primary_address = optional(bool, true)<br>    region             = optional(string, " ")<br>    street_address     = optional(string, " ")<br>    address_type       = optional(string, null)<br>    # Additional<br>    user_type          = optional(string, null)<br>    title              = optional(string, null)<br>    locale             = optional(string, null)<br>    nickname           = optional(string, null)<br>    preferred_language = optional(string, null)<br>    profile_url        = optional(string, null)<br>    timezone           = optional(string, null)<br>  }))</pre> | `{}` | no |
 
 ## Outputs

examples/instance-access-control-attributes/.header.md

@@ -1,17 +1,14 @@
 This directory contains examples of using the module to **create** instance access control attributes.
 
-**IMPORTANT:** Ensure that the name of your object matches the name of your principal (e.g. user name or group name). See the following example with object/principal names 'FirstName' and 'LastName':
-
 ```hcl
-  sso_instance_access_control_attributes = {
-    FirstName = { 
+  sso_instance_access_control_attributes = [
+    { 
       attribute_name = "FirstName"
       source = ["$${path:name.givenName}"]
-    }
-    LastName = {
+    },
+    {
       attribute_name = "LastName"
       source = ["$${path:name.familyName}"]
     }
-  }
-
+  ]
 ```

examples/instance-access-control-attributes/README.md

@@ -1,20 +1,17 @@
 <!-- BEGIN_TF_DOCS -->
 This directory contains examples of using the module to **create** instance access control attributes.
 
-**IMPORTANT:** Ensure that the name of your object matches the name of your principal (e.g. user name or group name). See the following example with object/principal names 'FirstName' and 'LastName':
-
 ```hcl
-  sso_instance_access_control_attributes = {
-    FirstName = {
+  sso_instance_access_control_attributes = [
+    {
       attribute_name = "FirstName"
       source = ["$${path:name.givenName}"]
-    }
-    LastName = {
+    },
+    {
       attribute_name = "LastName"
       source = ["$${path:name.familyName}"]
     }
-  }
-
+  ]
 ```
 
 ## Requirements

examples/instance-access-control-attributes/main.tf

@@ -2,14 +2,14 @@ module "aws-iam-identity-center" {
     source = "../.." // local example
 
   //Create desired access control attributes
-  sso_instance_access_control_attributes = {
-    FirstName = { 
+  sso_instance_access_control_attributes = [
+    { 
       attribute_name = "FirstName"
       source = ["$${path:name.givenName}"]
-    }
-    LastName = {
+    },
+    {
       attribute_name = "LastName"
       source = ["$${path:name.familyName}"]
     }
-  }
+  ]
 }

locals.tf

@@ -218,16 +218,3 @@ locals {
     ]
   ])
 }
-
-# - IAM Access Control Attributes
-locals {
-  # If user provides attributes, use those. If null/empty, provide minimum required
-  attributes_to_use = (
-    var.sso_instance_access_control_attributes != {}) ? var.sso_instance_access_control_attributes : {
-    # This default will only be used during plan phase and resource won't actually be created
-    Dummy = {
-      attribute_name = "Dummy"
-      source = ["dummy"]
-    }
-  }
-}

main.tf

@@ -323,15 +323,12 @@ resource  "aws_ssoadmin_instance_access_control_attributes" "sso_access_control_
   count = length(var.sso_instance_access_control_attributes) <= 0 ? 0 : 1
   instance_arn = local.ssoadmin_instance_arn
   dynamic "attribute" {
-    for_each = local.attributes_to_use
+    for_each = var.sso_instance_access_control_attributes
     content {
       key   = attribute.key
       value {
         source = attribute.value.source
       }
     }
   }
-  lifecycle { #TODO: need to check that this is a best practice and/or see if we should allow the user to define and/or override.
-    create_before_destroy = true
-  }
 }

variables.tf

@@ -149,26 +149,26 @@ variable "sso_applications" {
 #Access Control Attributes
 variable "sso_instance_access_control_attributes" {
   description = "List of attributes for access control. This is used to create the enable and use attributes for access control."
-  type = map(object({
+  type = list(object({
     attribute_name = string
     source = set(string)
   }))
-  default = {}
+  default = []
   validation {
     condition = alltrue([
-      for attr in values(var.sso_instance_access_control_attributes) :
+      for attr in var.sso_instance_access_control_attributes :
       attr.attribute_name != null &&
       attr.attribute_name != ""
     ])
     error_message = "The attribute_name field is mandatory for all attributes."
   }
   validation {
     condition = alltrue([
-      for attr in values(var.sso_instance_access_control_attributes) :
+      for attr in var.sso_instance_access_control_attributes :
       attr.source != null &&
       length(attr.source) > 0 &&  # checks if the set is not empty
       alltrue([for s in attr.source : s != ""]) # checks no empty strings in set
     ])
     error_message = "The attribute source is mandatory and must contain non-empty strings."
   }
-}
+}