cruxstack · sgtoj · Aug 16, 2025 · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025
diff --git a/main.tf b/main.tf
@@ -2,7 +2,8 @@ locals {
   name            = coalesce(module.this.name, var.name, "cognito-custom-message-sender")
   enabled         = module.this.enabled
   aws_account_id  = try(coalesce(var.aws_account_id, data.aws_caller_identity.current[0].account_id), "")
-  aws_region_name = try(coalesce(var.aws_region_name, data.aws_region.current[0].name), "")
+  aws_region_name = try(coalesce(var.aws_region_name, data.aws_region.current[0].region), "")
+  aws_partition   = one(data.aws_partition.current.*.partition)
 
   email_sender_enabled        = local.enabled && var.email_sender_enabled
   email_sender_policy_path    = "./policy.rego"
@@ -12,6 +13,10 @@ locals {
   sms_sender_policy_path                = "./policy.wasm"
   sms_sender_policy_content             = var.sms_sender_policy_content
   sms_sender_throttle_period_in_minutes = 15
+
+  iam_role_policies = {
+    access = one(data.aws_iam_policy_document.this.*.json)
+  }
 }
 
 data "aws_caller_identity" "current" {
@@ -22,6 +27,11 @@ data "aws_region" "current" {
   count = local.enabled ? 1 : 0
 }
 
+data "aws_partition" "current" {
+  count = module.this.enabled ? 1 : 0
+}
+
+
 # ============================================================ message-sender ===
 
 module "message_sender_label" {
@@ -61,18 +71,25 @@ resource "aws_iam_role" "this" {
     }]
   })
 
-  managed_policy_arns = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-  ]
+  tags = module.message_sender_label.tags
+}
 
-  inline_policy {
-    name   = "message-sender-access"
-    policy = data.aws_iam_policy_document.this[0].json
-  }
+resource "aws_iam_role_policy_attachment" "ssm_managed_instance_core" {
+  count = module.this.enabled ? 1 : 0
 
-  tags = module.message_sender_label.tags
+  role       = aws_iam_role.this[0].name
+  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_iam_role_policy" "this" {
+  for_each = { for k, v in local.iam_role_policies : k => v if module.this.enabled }
+
+  name   = each.key
+  role   = resource.aws_iam_role.this[0].name
+  policy = each.value
+}
+
+
 data "aws_iam_policy_document" "this" {
   count = local.enabled ? 1 : 0
 

diff --git a/variables.tf b/variables.tf
@@ -53,7 +53,7 @@ variable "email_sender_providers" {
 
   validation {
     condition     = length(var.email_sender_providers) == 1
-    error_message = "Must define exactly one email provider. Support for more than one coming the future."
+    error_message = "Must define exactly one email provider. Support for more than one coming in the future."
   }
 
   validation {

diff --git a/versions.tf b/versions.tf
@@ -4,11 +4,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0.0, < 6.0.0"
+      version = ">= 5.0.0"
     }
     docker = {
       source  = "kreuzwerker/docker"
-      version = ">= 3.0.0, < 4.0.0"
+      version = ">= 3.0.0"
     }
   }
 }