Fixed styles after #26

.chglog/CHANGELOG.tpl.md

+{{ if .Versions -}}
+<a name="unreleased"></a>
+## [Unreleased]
+{{ if .Unreleased.CommitGroups -}}
+{{ range .Unreleased.CommitGroups -}}
+### {{ .Title }}
+{{ range .Commits -}}
+- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+{{ else }}
+{{ range .Unreleased.Commits -}}
+- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+{{ end -}}
+
+{{ range .Versions }}
+<a name="{{ .Tag.Name }}"></a>
+## {{ if .Tag.Previous }}[{{ .Tag.Name }}]{{ else }}{{ .Tag.Name }}{{ end }} - {{ datetime "2006-01-02" .Tag.Date }}
+{{ if .CommitGroups -}}
+{{ range .CommitGroups -}}
+### {{ .Title }}
+{{ range .Commits -}}
+- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+{{ else }}
+{{ range .Commits -}}
+- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+
+{{- if .NoteGroups -}}
+{{ range .NoteGroups -}}
+### {{ .Title }}
+{{ range .Notes }}
+{{ .Body }}
+{{ end }}
+{{ end -}}
+{{ end -}}
+{{ end -}}
+
+{{- if .Versions }}
+[Unreleased]: {{ .Info.RepositoryURL }}/compare/{{ $latest := index .Versions 0 }}{{ $latest.Tag.Name }}...HEAD
+{{ range .Versions -}}
+{{ if .Tag.Previous -}}
+[{{ .Tag.Name }}]: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}
+{{ end -}}
+{{ end -}}
+{{ end -}}
\ No newline at end of file

.chglog/config.yml

+style: github
+template: CHANGELOG.tpl.md
+info:
+  title: CHANGELOG
+  repository_url: https://github.com/terraform-aws-modules/terraform-aws-iam
+options:
+  header:
+    pattern: "^(.*)$"
+    pattern_maps:
+      - Subject

.pre-commit-config.yaml

 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.9.0
+  rev: v1.12.0
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v2.1.0
+  rev: v2.2.3
   hooks:
     - id: check-merge-conflict

Makefile

+.PHONY: changelog release
+
+changelog:
+	git-chglog -o CHANGELOG.md --next-tag `semtag final -s minor -o`
+
+release:
+	semtag final -s minor

README.md

@@ -12,6 +12,12 @@ These types of resources are supported:
 * [IAM access key](https://www.terraform.io/docs/providers/aws/r/iam_access_key.html)
 * [IAM SSH public key](https://www.terraform.io/docs/providers/aws/r/iam_user_ssh_key.html)
 
+## Terraform versions
+
+Terraform 0.12. Pin module version to `~> v2.0`. Submit pull-requests to `master` branch.
+
+Terraform 0.11. Pin module version to `~> v1.0`. Submit pull-requests to `terraform011` branch.
+
 ## Features
 
 1. **Cross-account access.** Define IAM roles using `iam_assumable_role` or `iam_assumable_roles` submodules in "resource AWS accounts (prod, staging, dev)" and IAM groups and users using `iam-group-with-assumable-roles-policy` submodule in "IAM AWS Account" to setup access controls between accounts. See [iam-group-with-assumable-roles-policy example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) for more details.

examples/iam-assumable-role/README.md

@@ -22,6 +22,7 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Description |
 |------|-------------|
 | role\_requires\_mfa | Whether admin IAM role requires MFA |
+| role\_tags | Whether admin IAM role requires MFA |
 | this\_iam\_role\_arn | ARN of IAM role |
 | this\_iam\_role\_name | Name of IAM role |
 | this\_iam\_role\_path | Path of IAM role |

examples/iam-assumable-role/main.tf

@@ -19,6 +19,10 @@ module "iam_assumable_role_admin" {
   role_requires_mfa = true
 
   attach_admin_policy = true
+
+  tags = {
+    Role = "Admin"
+  }
 }
 
 ##########################################

modules/iam-assumable-role/README.md

@@ -23,7 +23,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | role\_path | Path of IAM role | string | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | string | `""` | no |
 | role\_requires\_mfa | Whether role requires MFA | string | `"true"` | no |
-| tags | A map of tags to add to all resources. | map | `"{}"` | no |
+| tags | A map of tags to add to all resources. | map | `{}` | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
 
 ## Outputs

modules/iam-assumable-role/variables.tf

@@ -77,5 +77,5 @@ variable "attach_readonly_policy" {
 variable "tags" {
   description = "A map of tags to add to all resources."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }

modules/iam-assumable-roles-with-saml/README.md

@@ -15,7 +15,7 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed
 | admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
 | admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
-| admin\_role\_tags | A map of tags to add to admin role resource. | map | `"{}"` | no |
+| admin\_role\_tags | A map of tags to add to admin role resource. | map | `{}` | no |
 | aws\_saml\_endpoint | AWS SAML Endpoint | list | `[ "https://signin.aws.amazon.com/saml" ]` | no |
 | create\_admin\_role | Whether to create admin role | string | `"false"` | no |
 | create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
@@ -25,14 +25,14 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed
 | poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
 | poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
-| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map | `"{}"` | no |
+| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map | `{}` | no |
 | provider\_id | ID of the SAML Provider | string | n/a | yes |
 | provider\_name | Name of the SAML Provider | string | n/a | yes |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
 | readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
-| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `"{}"` | no |
+| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `{}` | no |
 
 ## Outputs
 

modules/iam-assumable-roles-with-saml/variables.tf

@@ -42,7 +42,7 @@ variable "admin_role_permissions_boundary_arn" {
 variable "admin_role_tags" {
   description = "A map of tags to add to admin role resource."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }
 
 # Poweruser
@@ -75,7 +75,7 @@ variable "poweruser_role_permissions_boundary_arn" {
 variable "poweruser_role_tags" {
   description = "A map of tags to add to poweruser role resource."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }
 
 # Readonly
@@ -108,7 +108,7 @@ variable "readonly_role_permissions_boundary_arn" {
 variable "readonly_role_tags" {
   description = "A map of tags to add to readonly role resource."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }
 
 variable "max_session_duration" {

modules/iam-assumable-roles/README.md

@@ -14,7 +14,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
 | admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
 | admin\_role\_requires\_mfa | Whether admin role requires MFA | string | `"true"` | no |
-| admin\_role\_tags | A map of tags to add to admin role resource. | map | `"{}"` | no |
+| admin\_role\_tags | A map of tags to add to admin role resource. | map | `{}` | no |
 | create\_admin\_role | Whether to create admin role | string | `"false"` | no |
 | create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
 | create\_readonly\_role | Whether to create readonly role | string | `"false"` | no |
@@ -25,13 +25,13 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
 | poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
 | poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | string | `"true"` | no |
-| poweruser\_role\_tags | A map of tags to add to power role resource. | map | `"{}"` | no |
+| poweruser\_role\_tags | A map of tags to add to power role resource. | map | `{}` | no |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
 | readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
 | readonly\_role\_requires\_mfa | Whether readonly role requires MFA | string | `"true"` | no |
-| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `"{}"` | no |
+| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `{}` | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
 
 ## Outputs

modules/iam-assumable-roles/variables.tf

@@ -43,7 +43,7 @@ variable "admin_role_permissions_boundary_arn" {
 variable "admin_role_tags" {
   description = "A map of tags to add to admin role resource."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }
 
 # Poweruser
@@ -81,7 +81,7 @@ variable "poweruser_role_permissions_boundary_arn" {
 variable "poweruser_role_tags" {
   description = "A map of tags to add to power role resource."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }
 
 # Readonly
@@ -119,7 +119,7 @@ variable "readonly_role_permissions_boundary_arn" {
 variable "readonly_role_tags" {
   description = "A map of tags to add to readonly role resource."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }
 
 variable "max_session_duration" {

modules/iam-user/README.md

@@ -35,7 +35,7 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | pgp\_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `""` | no |
 | ssh\_key\_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `"SSH"` | no |
 | ssh\_public\_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `""` | no |
-| tags | A map of tags to add to all resources. | map | `"{}"` | no |
+| tags | A map of tags to add to all resources. | map | `{}` | no |
 | upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | string | `"false"` | no |
 
 ## Outputs

modules/iam-user/variables.tf

@@ -60,7 +60,7 @@ variable "ssh_public_key" {
 variable "tags" {
   description = "A map of tags to add to all resources."
   type        = "map"
-  default     = "{}"
+  default     = {}
 }
 
 variable "permissions_boundary" {