feat: Support External ID with MFA in iam-assumable-role (#159)

examples/iam-assumable-role/main.tf

@@ -75,7 +75,7 @@ module "iam_assumable_role_sts" {
   create_role = true
 
   role_name         = "custom_sts"
-  role_requires_mfa = false
+  role_requires_mfa = true
 
   role_sts_externalid = [
     "some-id-goes-here",

modules/iam-assumable-role/main.tf

 locals {
-  role_sts_externalid = flatten(tolist(var.role_sts_externalid))
+  role_sts_externalid = flatten([var.role_sts_externalid])
 }
 
 data "aws_iam_policy_document" "assume_role" {
@@ -56,6 +56,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
       variable = "aws:MultiFactorAuthAge"
       values   = [var.mfa_age]
     }
+
+    dynamic "condition" {
+      for_each = length(local.role_sts_externalid) != 0 ? [true] : []
+      content {
+        test     = "StringEquals"
+        variable = "sts:ExternalId"
+        values   = local.role_sts_externalid
+      }
+    }
   }
 }