From bb9883a1521a48c316e061a17263c012c2602950 Mon Sep 17 00:00:00 2001
From: Brian Ojeda <9335829+sgtoj@users.noreply.github.com>
Date: Fri, 15 Aug 2025 15:39:15 -0400
Subject: [PATCH 1/4] fix: update grammar for validation error

---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index ebc16e5..575ed58 100755
--- a/variables.tf
+++ b/variables.tf
@@ -53,7 +53,7 @@ variable "email_sender_providers" {
 
   validation {
     condition     = length(var.email_sender_providers) == 1
-    error_message = "Must define exactly one email provider. Support for more than one coming the future."
+    error_message = "Must define exactly one email provider. Support for more than one coming in the future."
   }
 
   validation {

From 7d014493e1d4e98caf33b03883df550b8d77d63a Mon Sep 17 00:00:00 2001
From: Brian Ojeda <9335829+sgtoj@users.noreply.github.com>
Date: Fri, 15 Aug 2025 15:39:37 -0400
Subject: [PATCH 2/4] feat: remove upper limits of providers

---
 versions.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/versions.tf b/versions.tf
index b90a3aa..789620a 100755
--- a/versions.tf
+++ b/versions.tf
@@ -4,11 +4,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0.0, < 6.0.0"
+      version = ">= 5.0.0"
     }
     docker = {
       source  = "kreuzwerker/docker"
-      version = ">= 3.0.0, < 4.0.0"
+      version = ">= 3.0.0"
     }
   }
 }

From 462cc7a38d582b72efd381260dc901eebedf5715 Mon Sep 17 00:00:00 2001
From: Brian Ojeda <9335829+sgtoj@users.noreply.github.com>
Date: Fri, 15 Aug 2025 15:42:36 -0400
Subject: [PATCH 3/4] feat: use latest pattern for applying policies to roles

---
 main.tf | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/main.tf b/main.tf
index 4596dd8..56deacd 100755
--- a/main.tf
+++ b/main.tf
@@ -3,6 +3,7 @@ locals {
   enabled         = module.this.enabled
   aws_account_id  = try(coalesce(var.aws_account_id, data.aws_caller_identity.current[0].account_id), "")
   aws_region_name = try(coalesce(var.aws_region_name, data.aws_region.current[0].name), "")
+  aws_partition   = one(data.aws_partition.current.*.partition)
 
   email_sender_enabled        = local.enabled && var.email_sender_enabled
   email_sender_policy_path    = "./policy.rego"
@@ -12,6 +13,10 @@ locals {
   sms_sender_policy_path                = "./policy.wasm"
   sms_sender_policy_content             = var.sms_sender_policy_content
   sms_sender_throttle_period_in_minutes = 15
+
+  iam_role_policies = {
+    access = one(data.aws_iam_policy_document.this.*.json)
+  }
 }
 
 data "aws_caller_identity" "current" {
@@ -22,6 +27,11 @@ data "aws_region" "current" {
   count = local.enabled ? 1 : 0
 }
 
+data "aws_partition" "current" {
+  count = module.this.enabled ? 1 : 0
+}
+
+
 # ============================================================ message-sender ===
 
 module "message_sender_label" {
@@ -61,18 +71,25 @@ resource "aws_iam_role" "this" {
     }]
   })
 
-  managed_policy_arns = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-  ]
+  tags = module.message_sender_label.tags
+}
 
-  inline_policy {
-    name   = "message-sender-access"
-    policy = data.aws_iam_policy_document.this[0].json
-  }
+resource "aws_iam_role_policy_attachment" "ssm_managed_instance_core" {
+  count = module.this.enabled ? 1 : 0
 
-  tags = module.message_sender_label.tags
+  role       = aws_iam_role.this[0].name
+  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_iam_role_policy" "this" {
+  for_each = { for k, v in local.iam_role_policies : k => v if module.this.enabled }
+
+  name   = each.key
+  role   = resource.aws_iam_role.this[0].name
+  policy = each.value
+}
+
+
 data "aws_iam_policy_document" "this" {
   count = local.enabled ? 1 : 0
 

From a9f7f6acde83c05b3e2210bd2d9e52fe39e892be Mon Sep 17 00:00:00 2001
From: Brian Ojeda <9335829+sgtoj@users.noreply.github.com>
Date: Fri, 15 Aug 2025 15:45:08 -0400
Subject: [PATCH 4/4] feat: switch to new region attribute

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 56deacd..66462b6 100755
--- a/main.tf
+++ b/main.tf
@@ -2,7 +2,7 @@ locals {
   name            = coalesce(module.this.name, var.name, "cognito-custom-message-sender")
   enabled         = module.this.enabled
   aws_account_id  = try(coalesce(var.aws_account_id, data.aws_caller_identity.current[0].account_id), "")
-  aws_region_name = try(coalesce(var.aws_region_name, data.aws_region.current[0].name), "")
+  aws_region_name = try(coalesce(var.aws_region_name, data.aws_region.current[0].region), "")
   aws_partition   = one(data.aws_partition.current.*.partition)
 
   email_sender_enabled        = local.enabled && var.email_sender_enabled