Merge pull request #84 from worldcoin/copilot/sub-pr-83

danielllek · web-flow · commit 5f8e0fd94c00 · 2026-02-22T18:35:03.000+01:00
Attach explicit-deny ELB policy to all matching LBC IAM roles
diff --git a/main.tf b/main.tf
@@ -71,7 +71,7 @@ data "aws_iam_roles" "aws_load_balancer_controller" {
 
 locals {
   aws_load_balancer_controller_role_exists = var.enable_aws_load_balancer_controller_explicit_deny ? length(data.aws_iam_roles.aws_load_balancer_controller.names) > 0 : false
-  aws_load_balancer_controller_role_name   = local.aws_load_balancer_controller_role_exists ? sort(tolist(data.aws_iam_roles.aws_load_balancer_controller.names))[0] : null
+  aws_load_balancer_controller_role_names  = local.aws_load_balancer_controller_role_exists ? toset(data.aws_iam_roles.aws_load_balancer_controller.names) : toset([])
 }
 
 data "aws_iam_policy_document" "aws_load_balancer_controller_explicit_deny" {
@@ -90,8 +90,8 @@ resource "aws_iam_policy" "aws_load_balancer_controller_explicit_deny" {
 }
 
 resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller_explicit_deny" {
-  count      = local.aws_load_balancer_controller_role_exists ? 1 : 0
-  role       = local.aws_load_balancer_controller_role_name
+  for_each   = local.aws_load_balancer_controller_role_names
+  role       = each.value
   policy_arn = aws_iam_policy.aws_load_balancer_controller_explicit_deny[0].arn
 }
   

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ data "aws_iam_roles" "aws_load_balancer_controller" {`
`71`	`71`
`72`	`72`	`locals {`
`73`	`73`	`aws_load_balancer_controller_role_exists = var.enable_aws_load_balancer_controller_explicit_deny ? length(data.aws_iam_roles.aws_load_balancer_controller.names) > 0 : false`
`74`		`- aws_load_balancer_controller_role_name = local.aws_load_balancer_controller_role_exists ? sort(tolist(data.aws_iam_roles.aws_load_balancer_controller.names))[0] : null`
	`74`	`+ aws_load_balancer_controller_role_names = local.aws_load_balancer_controller_role_exists ? toset(data.aws_iam_roles.aws_load_balancer_controller.names) : toset([])`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`data "aws_iam_policy_document" "aws_load_balancer_controller_explicit_deny" {`
`@@ -90,8 +90,8 @@ resource "aws_iam_policy" "aws_load_balancer_controller_explicit_deny" {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller_explicit_deny" {`
`93`		`- count = local.aws_load_balancer_controller_role_exists ? 1 : 0`
`94`		`- role = local.aws_load_balancer_controller_role_name`
	`93`	`+ for_each = local.aws_load_balancer_controller_role_names`
	`94`	`+ role = each.value`
`95`	`95`	`policy_arn = aws_iam_policy.aws_load_balancer_controller_explicit_deny[0].arn`
`96`	`96`	`}`
`97`	`97`