From e44b1bb242b90c29df03057ead85a3246a34f049 Mon Sep 17 00:00:00 2001
From: Herman Wong <herman.wong@coalfire.com>
Date: Wed, 18 Sep 2024 07:23:16 -0700
Subject: [PATCH 1/5] Change ref for security group module from hash to tag.

---
 sg.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sg.tf b/sg.tf
index 6749452..0127c17 100644
--- a/sg.tf
+++ b/sg.tf
@@ -1,5 +1,5 @@
 module "security_group" {
-  source = "github.com/Coalfire-CF/terraform-aws-securitygroup?ref=b6e9070a3f6201d75160c42a3f649d36cb9b2622"
+  source = "github.com/Coalfire-CF/terraform-aws-securitygroup?ref=v1.0.1"
 
   name        = "${var.name}-sg"
   description = var.sg_description

From ebeeb28e948c727c4ca79606dbee79a4a3685798 Mon Sep 17 00:00:00 2001
From: Herman Wong <herman.wong@coalfire.com>
Date: Wed, 18 Sep 2024 07:23:41 -0700
Subject: [PATCH 2/5] Fix conditional to respond appropriately to boolean var.

---
 iam.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iam.tf b/iam.tf
index 6218ce4..2ecbc48 100644
--- a/iam.tf
+++ b/iam.tf
@@ -23,7 +23,7 @@ data "aws_iam_policy" "AmazonSSMManagedInstanceCore" {
 }
 
 resource "aws_iam_role_policy_attachment" "ssm_role_policy_attach" {
-  count      = var.add_SSMManagedInstanceCore ? length(var.iam_policies) : 0
+  count      = var.add_SSMManagedInstanceCore ? 1 : 0
   policy_arn = data.aws_iam_policy.AmazonSSMManagedInstanceCore.arn
   role       = aws_iam_role.this_role[0].name
 }

From 2c52deee76652c8c708ad037ca44f93375677c03 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 18 Sep 2024 14:31:23 +0000
Subject: [PATCH 3/5] terraform-docs: automated action

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f6b5551..35a5873 100644
--- a/README.md
+++ b/README.md
@@ -181,7 +181,7 @@ module "ad2" {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | github.com/Coalfire-CF/terraform-aws-securitygroup | b6e9070a3f6201d75160c42a3f649d36cb9b2622 |
+| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | github.com/Coalfire-CF/terraform-aws-securitygroup | v1.0.1 |
 
 ## Resources
 

From d06d715d8682a68745378bd3380657c4962b8457 Mon Sep 17 00:00:00 2001
From: Herman Wong <herman.wong@coalfire.com>
Date: Wed, 2 Oct 2024 11:27:51 -0700
Subject: [PATCH 4/5] Adjust conditional to also require iam policies.

---
 iam.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iam.tf b/iam.tf
index 2ecbc48..b30c2ff 100644
--- a/iam.tf
+++ b/iam.tf
@@ -23,7 +23,7 @@ data "aws_iam_policy" "AmazonSSMManagedInstanceCore" {
 }
 
 resource "aws_iam_role_policy_attachment" "ssm_role_policy_attach" {
-  count      = var.add_SSMManagedInstanceCore ? 1 : 0
+  count      = var.add_SSMManagedInstanceCore && length(var.iam_policies) > 0 ? 1 : 0
   policy_arn = data.aws_iam_policy.AmazonSSMManagedInstanceCore.arn
   role       = aws_iam_role.this_role[0].name
 }

From 74fa5e703c69674216ec7220da7aab5b14638cd4 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 2 Oct 2024 18:28:12 +0000
Subject: [PATCH 5/5] terraform-docs: automated action

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 35a5873..22b83f8 100644
--- a/README.md
+++ b/README.md
@@ -216,16 +216,16 @@ module "ad2" {
 | <a name="input_assume_role_policy"></a> [assume\_role\_policy](#input\_assume\_role\_policy) | Policy document allowing Principals to assume this role (e.g. Trust Relationship) | `string` | `"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n   {\n     \"Action\": \"sts:AssumeRole\",\n     \"Principal\": {\n       \"Service\": \"ec2.amazonaws.com\"\n     },\n     \"Effect\": \"Allow\",\n     \"Sid\": \"\"\n   }\n ]\n}\n"` | no |
 | <a name="input_ebs_kms_key_arn"></a> [ebs\_kms\_key\_arn](#input\_ebs\_kms\_key\_arn) | The ARN of the KMS key to encrypt EBS volumes | `string` | n/a | yes |
 | <a name="input_ebs_optimized"></a> [ebs\_optimized](#input\_ebs\_optimized) | Whether or not the instance is ebs optimized | `bool` | `true` | no |
-| <a name="input_ebs_volumes"></a> [ebs\_volumes](#input\_ebs\_volumes) | A list of maps that must contain device\_name (ex. '/dev/sdb') and size (in GB). Optional args include type, throughput, iops, multi\_attach\_enabled, final\_snapshot, snapshot\_id, outpost\_arn, force\_detach, skip\_destroy, stop\_instance\_before\_detaching, and tags | <pre>list(object({<br>    device_name                    = string<br>    size                           = number<br>    type                           = string<br>    throughput                     = optional(number)<br>    iops                           = optional(number)<br>    multi_attach_enabled           = optional(bool, false)<br>    final_snapshot                 = optional(string)<br>    snapshot_id                    = optional(string)<br>    outpost_arn                    = optional(string)<br>    force_detach                   = optional(bool, false)<br>    skip_destroy                   = optional(bool, false)<br>    stop_instance_before_detaching = optional(bool, false)<br>    tags                           = optional(map(string), {})<br>  }))</pre> | `[]` | no |
+| <a name="input_ebs_volumes"></a> [ebs\_volumes](#input\_ebs\_volumes) | A list of maps that must contain device\_name (ex. '/dev/sdb') and size (in GB). Optional args include type, throughput, iops, multi\_attach\_enabled, final\_snapshot, snapshot\_id, outpost\_arn, force\_detach, skip\_destroy, stop\_instance\_before\_detaching, and tags | <pre>list(object({<br/>    device_name                    = string<br/>    size                           = number<br/>    type                           = string<br/>    throughput                     = optional(number)<br/>    iops                           = optional(number)<br/>    multi_attach_enabled           = optional(bool, false)<br/>    final_snapshot                 = optional(string)<br/>    snapshot_id                    = optional(string)<br/>    outpost_arn                    = optional(string)<br/>    force_detach                   = optional(bool, false)<br/>    skip_destroy                   = optional(bool, false)<br/>    stop_instance_before_detaching = optional(bool, false)<br/>    tags                           = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
 | <a name="input_ec2_instance_type"></a> [ec2\_instance\_type](#input\_ec2\_instance\_type) | The type of instance to start | `string` | n/a | yes |
 | <a name="input_ec2_key_pair"></a> [ec2\_key\_pair](#input\_ec2\_key\_pair) | The key name to use for the instance | `string` | n/a | yes |
-| <a name="input_egress_rules"></a> [egress\_rules](#input\_egress\_rules) | The list of rules for egress traffic. Required fields for each rule are 'protocol', 'from\_port', 'to\_port', and at least one of 'cidr\_blocks', 'ipv6\_cidr\_blocks', 'security\_groups', 'self', or 'prefix\_list\_sg'. Optional fields are 'description' and those not used from the previous list | <pre>map(object({<br>    cidr_ipv4                    = optional(string, null)<br>    cidr_ipv6                    = optional(string, null)<br>    description                  = optional(string, "Managed by Terraform")<br>    from_port                    = optional(string, null)<br>    ip_protocol                  = optional(string, null)<br>    prefix_list_id               = optional(string, null)<br>    referenced_security_group_id = optional(string, null)<br>    to_port                      = optional(string, null)<br>  }))</pre> | `{}` | no |
+| <a name="input_egress_rules"></a> [egress\_rules](#input\_egress\_rules) | The list of rules for egress traffic. Required fields for each rule are 'protocol', 'from\_port', 'to\_port', and at least one of 'cidr\_blocks', 'ipv6\_cidr\_blocks', 'security\_groups', 'self', or 'prefix\_list\_sg'. Optional fields are 'description' and those not used from the previous list | <pre>map(object({<br/>    cidr_ipv4                    = optional(string, null)<br/>    cidr_ipv6                    = optional(string, null)<br/>    description                  = optional(string, "Managed by Terraform")<br/>    from_port                    = optional(string, null)<br/>    ip_protocol                  = optional(string, null)<br/>    prefix_list_id               = optional(string, null)<br/>    referenced_security_group_id = optional(string, null)<br/>    to_port                      = optional(string, null)<br/>  }))</pre> | `{}` | no |
 | <a name="input_get_password_data"></a> [get\_password\_data](#input\_get\_password\_data) | Whether or not to allow retrieval of the local admin password | `bool` | `false` | no |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | a map of strings that contains global level tags | `map(string)` | n/a | yes |
 | <a name="input_http_tokens"></a> [http\_tokens](#input\_http\_tokens) | Whether or not the metadata service requires session tokens, required=IMDSv2, optional=IMDSv1 | `any` | `"required"` | no |
 | <a name="input_iam_policies"></a> [iam\_policies](#input\_iam\_policies) | A list of the iam policy ARNs to attach to the IAM role | `list(string)` | `[]` | no |
 | <a name="input_iam_profile"></a> [iam\_profile](#input\_iam\_profile) | A variable to attach an existing iam profile to the ec2 instance(s) created | `string` | `""` | no |
-| <a name="input_ingress_rules"></a> [ingress\_rules](#input\_ingress\_rules) | The list of rules for ingress traffic. Required fields for each rule are 'protocol', 'from\_port', 'to\_port', and at least one of 'cidr\_blocks', 'ipv6\_cidr\_blocks', 'security\_groups', 'self', or 'prefix\_list\_sg'. Optional fields are 'description' and those not used from the previous list | <pre>map(object({<br>    cidr_ipv4                    = optional(string, null)<br>    cidr_ipv6                    = optional(string, null)<br>    description                  = optional(string, "Managed by Terraform")<br>    from_port                    = optional(string, null)<br>    ip_protocol                  = optional(string, null)<br>    prefix_list_id               = optional(string, null)<br>    referenced_security_group_id = optional(string, null)<br>    to_port                      = optional(string, null)<br>  }))</pre> | `{}` | no |
+| <a name="input_ingress_rules"></a> [ingress\_rules](#input\_ingress\_rules) | The list of rules for ingress traffic. Required fields for each rule are 'protocol', 'from\_port', 'to\_port', and at least one of 'cidr\_blocks', 'ipv6\_cidr\_blocks', 'security\_groups', 'self', or 'prefix\_list\_sg'. Optional fields are 'description' and those not used from the previous list | <pre>map(object({<br/>    cidr_ipv4                    = optional(string, null)<br/>    cidr_ipv6                    = optional(string, null)<br/>    description                  = optional(string, "Managed by Terraform")<br/>    from_port                    = optional(string, null)<br/>    ip_protocol                  = optional(string, null)<br/>    prefix_list_id               = optional(string, null)<br/>    referenced_security_group_id = optional(string, null)<br/>    to_port                      = optional(string, null)<br/>  }))</pre> | `{}` | no |
 | <a name="input_instance_count"></a> [instance\_count](#input\_instance\_count) | Number of instances to launch | `number` | `1` | no |
 | <a name="input_keys_to_grant"></a> [keys\_to\_grant](#input\_keys\_to\_grant) | A list of kms keys to grant permissions to for the role created. | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the ec2 instance | `string` | n/a | yes |