fix: Revert policy_statements back to map()

Author: bryantbiggs

README.md

@@ -164,7 +164,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: `/_+=.@-` | `string` | `null` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Creates a unique name beginning with the specified prefix | `string` | `null` | no |
 | <a name="input_override_policy_documents"></a> [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
-| <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_random_password_length"></a> [random\_password\_length](#input\_random\_password\_length) | The length of the generated random password | `number` | `32` | no |
 | <a name="input_random_password_override_special"></a> [random\_password\_override\_special](#input\_random\_password\_override\_special) | Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument | `string` | `"!@#$%&*()-_=+[]{}<>:?"` | no |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30` | `number` | `null` | no |

examples/complete/main.tf

@@ -38,8 +38,8 @@ module "secrets_manager" {
   # Policy
   create_policy       = true
   block_public_policy = true
-  policy_statements = [
-    {
+  policy_statements = {
+    read = {
       sid = "AllowAccountRead"
       principals = [{
         type        = "AWS"
@@ -48,7 +48,7 @@ module "secrets_manager" {
       actions   = ["secretsmanager:GetSecretValue"]
       resources = ["*"]
     }
-  ]
+  }
 
   # Version
   create_random_password           = true
@@ -69,8 +69,8 @@ module "secrets_manager_rotate" {
   # Policy
   create_policy       = true
   block_public_policy = true
-  policy_statements = [
-    {
+  policy_statements = {
+    lambda = {
       sid = "LambdaReadWrite"
       principals = [{
         type        = "AWS"
@@ -83,8 +83,8 @@ module "secrets_manager_rotate" {
         "secretsmanager:UpdateSecretVersionStage",
       ]
       resources = ["*"]
-    },
-    {
+    }
+    account = {
       sid = "AccountDescribe"
       principals = [{
         type        = "AWS"
@@ -93,7 +93,7 @@ module "secrets_manager_rotate" {
       actions   = ["secretsmanager:DescribeSecret"]
       resources = ["*"]
     }
-  ]
+  }
 
   # Version
   ignore_secret_changes = true

main.tf

@@ -38,7 +38,7 @@ data "aws_iam_policy_document" "this" {
   override_policy_documents = var.override_policy_documents
 
   dynamic "statement" {
-    for_each = var.policy_statements != null ? var.policy_statements : []
+    for_each = var.policy_statements != null ? var.policy_statements : {}
 
     content {
       sid           = statement.value.sid

variables.tf

@@ -89,7 +89,7 @@ variable "override_policy_documents" {
 
 variable "policy_statements" {
   description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
-  type = list(object({
+  type = map(object({
     sid           = optional(string)
     actions       = optional(list(string))
     not_actions   = optional(list(string))