fix: Multiple provider_urls not working with iam-assumable-role-with-oidc (#115)

modules/iam-assumable-role-with-oidc/main.tf

@@ -5,10 +5,6 @@ locals {
     for url in compact(distinct(concat(var.provider_urls, [var.provider_url]))) :
     replace(url, "https://", "")
   ]
-  identifiers = [
-    for url in local.urls :
-    "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:oidc-provider/${url}"
-  ]
   number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns))
 }
 
@@ -19,7 +15,10 @@ data "aws_partition" "current" {}
 data "aws_iam_policy_document" "assume_role_with_oidc" {
   count = var.create_role ? 1 : 0
 
-  statement {
+  dynamic "statement" {
+    for_each = local.urls
+
+    content {
       effect = "Allow"
 
       actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -27,28 +26,30 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
       principals {
         type = "Federated"
 
-      identifiers = local.identifiers
+        identifiers = ["arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:oidc-provider/${statement.value}"]
       }
 
       dynamic "condition" {
         for_each = length(var.oidc_fully_qualified_subjects) > 0 ? local.urls : []
+
         content {
           test     = "StringEquals"
-        variable = "${condition.value}:sub"
+          variable = "${statement.value}:sub"
           values   = var.oidc_fully_qualified_subjects
         }
       }
 
-
       dynamic "condition" {
         for_each = length(var.oidc_subjects_with_wildcards) > 0 ? local.urls : []
+
         content {
           test     = "StringLike"
-        variable = "${condition.value}:sub"
+          variable = "${statement.value}:sub"
           values   = var.oidc_subjects_with_wildcards
         }
       }
     }
+  }
 }
 
 resource "aws_iam_role" "this" {