From 02e2abe4bedc1d06e69ff986af39924baa494975 Mon Sep 17 00:00:00 2001
From: SamuZad <samuzadori@opensignal.com>
Date: Wed, 31 May 2023 11:54:45 +0100
Subject: [PATCH 1/3] fix iam_role_additional_policies variable

---
 README.md    | 9 +++++++--
 locals.tf    | 2 +-
 main.tf      | 2 +-
 variables.tf | 4 ++--
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 9a4b244..f9af5ca 100644
--- a/README.md
+++ b/README.md
@@ -28,8 +28,13 @@ module "mwaa" {
   airflow_version      = "2.2.2"
   environment_class    = "mw1.medium"
 
+  input_iam_role_additional_policies = {
+    "additional-policy-1" = "<ENTER_POLICY_ARN1>"
+    "additional-policy-2" = "<ENTER_POLICY_ARN2>"
+  }
+
   vpc_id                = "<ENTER_VPC_ID>"
-  private_subnet_ids    = ["<ENTER_SIBNET_ID1>","<ENTER_SIBNET_ID2>"]
+  private_subnet_ids    = ["<ENTER_SUBNET_ID1>","<ENTER_SUBNET_ID2>"]
 
   min_workers           = 1
   max_workers           = 25
@@ -134,7 +139,7 @@ No modules.
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | (Optional) Environment class for the cluster. Possible options are mw1.small, mw1.medium, mw1.large.<br>Will be set by default to mw1.small. Please check the AWS Pricing for more information about the environment classes. | `string` | `"mw1.small"` | no |
 | <a name="input_execution_role_arn"></a> [execution\_role\_arn](#input\_execution\_role\_arn) | (Required) The Amazon Resource Name (ARN) of the task execution role that the Amazon MWAA and its environment can assume<br>Mandatory if `create_iam_role=false` | `string` | `null` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | IAM role Force detach policies | `bool` | `false` | no |
-| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | A map of additional policy arms to be added to the IAM role, with an arbitary key name | `map(string)` | `{}` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | IAM Role Name to be created if execution\_role\_arn is null | `string` | `null` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | IAM role Permission boundary | `string` | `null` | no |
diff --git a/locals.tf b/locals.tf
index e6cb7f8..b869920 100644
--- a/locals.tf
+++ b/locals.tf
@@ -11,5 +11,5 @@ locals {
 
   airflow_configuration_options = merge(local.default_airflow_configuration_options, var.airflow_configuration_options)
 
-  iam_role_additional_policies = { for k, v in toset(concat([var.iam_role_additional_policies])) : k => v if var.execution_role_arn != null }
+  iam_role_additional_policies = { for k, v in var.iam_role_additional_policies : k => v if var.create_iam_role }
 }
diff --git a/main.tf b/main.tf
index c0f3c49..1d650b5 100644
--- a/main.tf
+++ b/main.tf
@@ -93,7 +93,7 @@ resource "aws_iam_role_policy" "mwaa" {
 
 resource "aws_iam_role_policy_attachment" "mwaa" {
   for_each   = local.iam_role_additional_policies
-  policy_arn = each.key
+  policy_arn = each.value
   role       = aws_iam_role.mwaa[0].id
 }
 
diff --git a/variables.tf b/variables.tf
index 80ed7fc..2d3ac3f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -171,8 +171,8 @@ variable "force_detach_policies" {
 
 variable "iam_role_additional_policies" {
   description = "Additional policies to be added to the IAM role"
-  type        = list(string)
-  default     = []
+  type        = map(string)
+  default     = {}
 }
 
 variable "iam_role_path" {

From 90bbe0693b5e5f2843727c37477bd6b85966d714 Mon Sep 17 00:00:00 2001
From: SamuZad <samuzadori@opensignal.com>
Date: Wed, 31 May 2023 11:56:25 +0100
Subject: [PATCH 2/3] fix the position of example block in readme

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index f9af5ca..43db8f4 100644
--- a/README.md
+++ b/README.md
@@ -28,17 +28,17 @@ module "mwaa" {
   airflow_version      = "2.2.2"
   environment_class    = "mw1.medium"
 
-  input_iam_role_additional_policies = {
-    "additional-policy-1" = "<ENTER_POLICY_ARN1>"
-    "additional-policy-2" = "<ENTER_POLICY_ARN2>"
-  }
-
   vpc_id                = "<ENTER_VPC_ID>"
   private_subnet_ids    = ["<ENTER_SUBNET_ID1>","<ENTER_SUBNET_ID2>"]
 
   min_workers           = 1
   max_workers           = 25
   webserver_access_mode = "PUBLIC_ONLY" # Default PRIVATE_ONLY for production environments
+  
+  input_iam_role_additional_policies = {
+    "additional-policy-1" = "<ENTER_POLICY_ARN1>"
+    "additional-policy-2" = "<ENTER_POLICY_ARN2>"
+  }
 
   logging_configuration = {
     dag_processing_logs = {

From d012ae5a21942d7e9972234d7f3b66c9cf26250c Mon Sep 17 00:00:00 2001
From: SamuZad <samuzadori@opensignal.com>
Date: Wed, 31 May 2023 12:05:46 +0100
Subject: [PATCH 3/3] fix typo

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 43db8f4..98914af 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ module "mwaa" {
   min_workers           = 1
   max_workers           = 25
   webserver_access_mode = "PUBLIC_ONLY" # Default PRIVATE_ONLY for production environments
-  
+
   input_iam_role_additional_policies = {
     "additional-policy-1" = "<ENTER_POLICY_ARN1>"
     "additional-policy-2" = "<ENTER_POLICY_ARN2>"
@@ -139,7 +139,7 @@ No modules.
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | (Optional) Environment class for the cluster. Possible options are mw1.small, mw1.medium, mw1.large.<br>Will be set by default to mw1.small. Please check the AWS Pricing for more information about the environment classes. | `string` | `"mw1.small"` | no |
 | <a name="input_execution_role_arn"></a> [execution\_role\_arn](#input\_execution\_role\_arn) | (Required) The Amazon Resource Name (ARN) of the task execution role that the Amazon MWAA and its environment can assume<br>Mandatory if `create_iam_role=false` | `string` | `null` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | IAM role Force detach policies | `bool` | `false` | no |
-| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | A map of additional policy arms to be added to the IAM role, with an arbitary key name | `map(string)` | `{}` | no |
+| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | A map of additional policy ARNs to be added to the IAM role, with an arbitary key name | `map(string)` | `{}` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | IAM Role Name to be created if execution\_role\_arn is null | `string` | `null` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | IAM role Permission boundary | `string` | `null` | no |