use for_each over count for iteration (#96)

* issue #30, use for_each over count for iteration

* fix ifs

* fixes for the target

* docs: add CHANGELOG.md for 2.0.0 breaking changes

* fix: use index-based keys for for_each to support unknown values

* docs: update CHANGELOG state migration examples with correct index-based keys

* feat: use name attribute as for_each key for authorization_rules and additional_routes

- authorization_rules: uses `name` if provided, otherwise falls back to list index
- additional_routes: added optional `name` attribute, uses it as key if provided, otherwise falls back to list index
- Updated CHANGELOG with improved state migration examples and documentation for the new name attribute

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: update README usage example with optional name attribute

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: milldr <miller0daniel@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: 3 people

CHANGELOG.md

@@ -0,0 +1,45 @@
+# Changelog
+
+## 2.0.0
+
+### BREAKING CHANGES
+
+This release contains breaking changes that require action when upgrading.
+
+#### Resource iteration changed from `count` to `for_each` (#96)
+
+The following resources now use `for_each` instead of `count`:
+- `aws_ec2_client_vpn_network_association.default` - keyed by list index (`"0"`, `"1"`, etc.)
+- `aws_ec2_client_vpn_authorization_rule.default` - keyed by `name` attribute if provided, otherwise list index
+- `aws_ec2_client_vpn_route.default` - keyed by `name` attribute if provided, otherwise list index
+
+**Impact:** Terraform will see existing resources as needing replacement. To avoid recreation, migrate state before applying:
+
+```bash
+# Network associations use index-based keys
+terraform state mv 'aws_ec2_client_vpn_network_association.default[0]' 'aws_ec2_client_vpn_network_association.default["0"]'
+terraform state mv 'aws_ec2_client_vpn_network_association.default[1]' 'aws_ec2_client_vpn_network_association.default["1"]'
+
+# Authorization rules use the "name" attribute as the key
+terraform state mv 'aws_ec2_client_vpn_authorization_rule.default[0]' 'aws_ec2_client_vpn_authorization_rule.default["<name>"]'
+
+# Routes use "name" if provided, otherwise index
+terraform state mv 'aws_ec2_client_vpn_route.default[0]' 'aws_ec2_client_vpn_route.default["<name-or-index>"]'
+```
+
+#### New optional `name` attribute for `additional_routes`
+
+The `additional_routes` variable now supports an optional `name` attribute. When provided, it is used as the `for_each` key for the route resource. This enables more stable resource addressing.
+
+```hcl
+additional_routes = [
+  {
+    name                   = "internet"  # Optional: used as for_each key
+    destination_cidr_block = "0.0.0.0/0"
+    description            = "Internet Route"
+    target_vpc_subnet_id   = "subnet-abc123"
+  }
+]
+```
+
+Thanks to @jurgenweber for the contribution!

README.md

@@ -105,6 +105,7 @@ module "ec2_client_vpn" {
 
   additional_routes = [
     {
+      name                   = "internet"
       destination_cidr_block = "0.0.0.0/0"
       description            = "Internet Route"
       target_vpc_subnet_id   = element(module.subnets.private_subnet_ids, 0)
@@ -175,7 +176,7 @@ Here is an example of using this module:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_routes"></a> [additional\_routes](#input\_additional\_routes) | A list of additional routes that should be attached to the Client VPN endpoint | <pre>list(object({<br/>    destination_cidr_block = string<br/>    description            = string<br/>    target_vpc_subnet_id   = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_additional_routes"></a> [additional\_routes](#input\_additional\_routes) | A list of additional routes that should be attached to the Client VPN endpoint | <pre>list(object({<br/>    destination_cidr_block = string<br/>    description            = string<br/>    target_vpc_subnet_id   = string<br/>    name                   = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_additional_security_group_rules"></a> [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones<br/>this module normally creates. (To suppress the module's rules, set `create_security_group` to false<br/>and supply your own security group via `associated_security_group_ids`.)<br/>The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except<br/>for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.<br/>To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no |
 | <a name="input_additional_security_groups"></a> [additional\_security\_groups](#input\_additional\_security\_groups) | DEPRECATED: Use `associated_security_group_ids` instead.<br/>List of security groups to attach to the client vpn network associations | `list(string)` | `[]` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |

README.yaml

@@ -116,6 +116,7 @@ usage: |-
 
     additional_routes = [
       {
+        name                   = "internet"
         destination_cidr_block = "0.0.0.0/0"
         description            = "Internet Route"
         target_vpc_subnet_id   = element(module.subnets.private_subnet_ids, 0)

examples/complete/main.tf

@@ -11,6 +11,7 @@ locals {
     destination_cidr_block = route.destination_cidr_block
     description            = route.description
     target_vpc_subnet_id   = element(module.subnets.private_subnet_ids, 0)
+    name                   = route.name
   }]
 }
 

examples/complete/variables.tf

@@ -61,6 +61,7 @@ variable "additional_routes" {
   type = list(object({
     destination_cidr_block = string
     description            = string
+    name                   = optional(string)
   }))
 }
 

main.tf

@@ -229,29 +229,35 @@ module "vpn_security_group" {
 }
 
 resource "aws_ec2_client_vpn_network_association" "default" {
-  count = local.enabled ? length(var.associated_subnets) : 0
+  for_each = {
+    for k, v in var.associated_subnets : tostring(k) => v if local.enabled
+  }
 
   client_vpn_endpoint_id = join("", aws_ec2_client_vpn_endpoint.default[*].id)
-  subnet_id              = var.associated_subnets[count.index]
+  subnet_id              = each.value
 }
 
 resource "aws_ec2_client_vpn_authorization_rule" "default" {
-  count = local.enabled ? length(var.authorization_rules) : 0
+  for_each = {
+    for k, v in var.authorization_rules : coalesce(lookup(v, "name", null), tostring(k)) => v if local.enabled
+  }
 
-  access_group_id        = lookup(var.authorization_rules[count.index], "access_group_id", null)
-  authorize_all_groups   = lookup(var.authorization_rules[count.index], "authorize_all_groups", null)
+  access_group_id        = lookup(each.value, "access_group_id", null)
+  authorize_all_groups   = lookup(each.value, "authorize_all_groups", null)
   client_vpn_endpoint_id = join("", aws_ec2_client_vpn_endpoint.default[*].id)
-  description            = var.authorization_rules[count.index].description
-  target_network_cidr    = var.authorization_rules[count.index].target_network_cidr
+  description            = each.value.description
+  target_network_cidr    = each.value.target_network_cidr
 }
 
 resource "aws_ec2_client_vpn_route" "default" {
-  count = local.enabled ? length(var.additional_routes) : 0
+  for_each = {
+    for k, v in var.additional_routes : coalesce(v.name, tostring(k)) => v if local.enabled
+  }
 
-  description            = try(var.additional_routes[count.index].description, null)
-  destination_cidr_block = var.additional_routes[count.index].destination_cidr_block
+  description            = lookup(each.value, "description", null)
+  destination_cidr_block = each.value.destination_cidr_block
   client_vpn_endpoint_id = join("", aws_ec2_client_vpn_endpoint.default[*].id)
-  target_vpc_subnet_id   = var.additional_routes[count.index].target_vpc_subnet_id
+  target_vpc_subnet_id   = each.value.target_vpc_subnet_id
 
   depends_on = [
     aws_ec2_client_vpn_network_association.default

variables.tf

@@ -70,6 +70,7 @@ variable "additional_routes" {
     destination_cidr_block = string
     description            = string
     target_vpc_subnet_id   = string
+    name                   = optional(string)
   }))
 }