Update role attachment count

[dlutsch]

What does this PR do?

Fixes the count argument on aws_iam_role_policy_attachment.kms_decrypt (line 205 in main.tf) to use the same static condition as the policy resource it references, instead of length() on the resource itself.

- count      = length(aws_iam_policy.kms_decrypt)
+ count      = var.kms_key != null ? 1 : 0

This matches the condition already used by aws_iam_policy.kms_decrypt on line 177.

Motivation

length(aws_iam_policy.kms_decrypt) references a resource attribute that Terraform cannot resolve until apply. This causes terraform import and terraform state commands to fail with:

Error: Invalid count argument
  count = length(aws_iam_policy.kms_decrypt)
  The "count" value depends on resource attributes that cannot be determined until apply

This blocks all terraform state operations in any workspace that includes this module.

Testing

• Confirmed the error reproduces on Terraform 1.14.3 with observeinc/lambda/aws v3.6.0 when kms_key = null
• Applied the fix locally and verified terraform plan/apply, terraform import, and terraform state rm all succeed
• No functional change — the condition evaluates identically to the existing aws_iam_policy.kms_decrypt count

[obs-gh-justindaines]

Thank you for contributing.

This is a great addition to be more consistent and it matches the pattern already used by aws_iam_policy.kms_decrypt on line 177

Can we update to remove the extra count = ?

count      = count = var.kms_key != null ? 1 : 0

to

count      = var.kms_key != null ? 1 : 0

Other than that this looks great.

[dlutsch]

@obs-gh-justindaines updated to remove the typo, thanks for catching.

after this gets merged, would it be possible to cut a new version of this module as well as the module ref in terraform-aws-collection ? The tf import bug, while small, is causing a bit of a headache for my team.

[obs-gh-brett-blakeney]

Approved