Upgraded module to support Terraform 0.12 (#29)

bbbb239b · Anton Babenko · GitHub · 0df99e50 · bbbb239b · bbbb239b
Commit bbbb239b authored Jun 11, 2019 by Anton Babenko Committed by GitHub Jun 11, 2019
43 changed files
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -3,7 +3,7 @@ repos:
  rev: v1.12.0
  hooks:
    - id: terraform_fmt
-    - id: terraform_docs
+#    - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
  rev: v2.2.3
  hooks:

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,9 +3,17 @@
+<a name="v2.0.0"></a>
+## [v2.0.0] - 2019-06-11
+- Upgraded module to support Terraform 0.12
+- upgrade to 0.12 syntax
 <a name="v1.0.0"></a>
 ## [v1.0.0] - 2019-06-11
+- Updated CHANGELOG
 - Fixed styles after [#26](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/26)
 - iam-user,iam-assumable-role,iam-assumable-roles,iam-assumable-roles-with-saml tags support ([#26](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/26))
@@ -91,7 +99,8 @@
 - Initial commit
-[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v1.0.0...HEAD
+[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.0.0...HEAD
+[v2.0.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v1.0.0...v2.0.0
 [v1.0.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v0.5.0...v1.0.0
 [v0.5.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v0.4.0...v0.5.0
 [v0.4.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v0.3.0...v0.4.0

--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ Terraform 0.11. Pin module version to `~> v1.0`. Submit pull-requests to `terraf
 ```hcl
 module "iam_account" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-account"
+  version = "~> 2.0"
  account_alias = "awesome-company"
@@ -41,6 +42,7 @@ module "iam_account" {
 ```hcl
 module "iam_assumable_role" {
  source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 2.0"
  trusted_role_arns = [
    "arn:aws:iam::307990089504:root",
@@ -63,6 +65,7 @@ module "iam_assumable_role" {
 ```hcl
 module "iam_assumable_roles" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles"
+  version = "~> 2.0"
  trusted_role_arns = [
    "arn:aws:iam::307990089504:root",
@@ -83,6 +86,7 @@ module "iam_assumable_roles" {
 ```hcl
 module "iam_assumable_roles_with_saml" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml"
+  version = "~> 2.0"
  create_admin_role = true
@@ -100,6 +104,7 @@ module "iam_assumable_roles_with_saml" {
 ```hcl
 module "iam_user" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
+  version = "~> 2.0"
  name          = "vasya.pupkin"
  force_destroy = true
@@ -114,6 +119,7 @@ module "iam_user" {
 ```hcl
 module "iam_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 2.0"
  name        = "example"
  path        = "/"
@@ -140,6 +146,7 @@ EOF
 ```hcl
 module "iam_group_with_assumable_roles_policy" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-assumable-roles-policy"
+  version = "~> 2.0"
  name = "production-readonly"
@@ -158,6 +165,7 @@ module "iam_group_with_assumable_roles_policy" {
 ```hcl
 module "iam_group_with_policies" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
+  version = "~> 2.0"
  name = "superadmins"
@@ -175,7 +183,7 @@ module "iam_group_with_policies" {
  custom_group_policies = [
    {
      name   = "AllowS3Listing"
-      policy = "${data.aws_iam_policy_document.sample.json}"
+      policy = data.aws_iam_policy_document.sample.json
    }
  ]
 }

--- a/examples/iam-account/main.tf
+++ b/examples/iam-account/main.tf
@@ -8,7 +8,7 @@ provider "aws" {
 module "iam_account" {
  source = "../../modules/iam-account"
-  account_alias = "test-account-awesome-company"
+  account_alias = "new-test-account-awesome-company"
  minimum_password_length = 6
  require_numbers         = false

--- a/examples/iam-account/outputs.tf
+++ b/examples/iam-account/outputs.tf
 output "this_caller_identity_account_id" {
  description = "The ID of the AWS account"
-  value       = "${module.iam_account.this_caller_identity_account_id}"
+  value       = module.iam_account.this_caller_identity_account_id
 }
 output "this_iam_account_password_policy_expire_passwords" {
  description = "Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present."
-  value       = "${module.iam_account.this_iam_account_password_policy_expire_passwords}"
+  value       = module.iam_account.this_iam_account_password_policy_expire_passwords
 }
--- a/examples/iam-assumable-role/outputs.tf
+++ b/examples/iam-assumable-role/outputs.tf
 output "this_iam_role_arn" {
  description = "ARN of IAM role"
-  value       = "${module.iam_assumable_role_admin.this_iam_role_arn}"
+  value       = module.iam_assumable_role_admin.this_iam_role_arn
 }
 output "this_iam_role_name" {
  description = "Name of IAM role"
-  value       = "${module.iam_assumable_role_admin.this_iam_role_name}"
+  value       = module.iam_assumable_role_admin.this_iam_role_name
 }
 output "this_iam_role_path" {
  description = "Path of IAM role"
-  value       = "${module.iam_assumable_role_admin.this_iam_role_path}"
+  value       = module.iam_assumable_role_admin.this_iam_role_path
 }
 output "role_requires_mfa" {
  description = "Whether admin IAM role requires MFA"
-  value       = "${module.iam_assumable_role_admin.role_requires_mfa}"
+  value       = module.iam_assumable_role_admin.role_requires_mfa
 }
--- a/examples/iam-assumable-roles-with-saml/main.tf
+++ b/examples/iam-assumable-roles-with-saml/main.tf
@@ -4,7 +4,7 @@ provider "aws" {
 resource "aws_iam_saml_provider" "idp_saml" {
  name                   = "idp_saml"
-  saml_metadata_document = "${file("saml-metadata.xml")}"
+  saml_metadata_document = file("saml-metadata.xml")
 }
 ###############################
@@ -21,8 +21,8 @@ module "iam_assumable_roles_with_saml" {
  create_readonly_role = true
-  provider_name = "${aws_iam_saml_provider.idp_saml.name}"
+  provider_name = aws_iam_saml_provider.idp_saml.name
-  provider_id   = "${aws_iam_saml_provider.idp_saml.id}"
+  provider_id   = aws_iam_saml_provider.idp_saml.id
 }
 #################################################################
@@ -35,6 +35,6 @@ module "iam_assumable_roles_with_saml_custom" {
  poweruser_role_name        = "Billing-And-Support-Access"
  poweruser_role_policy_arns = ["arn:aws:iam::aws:policy/job-function/Billing", "arn:aws:iam::aws:policy/AWSSupportAccess"]
-  provider_name = "${aws_iam_saml_provider.idp_saml.name}"
+  provider_name = aws_iam_saml_provider.idp_saml.name
-  provider_id   = "${aws_iam_saml_provider.idp_saml.id}"
+  provider_id   = aws_iam_saml_provider.idp_saml.id
 }
--- a/examples/iam-assumable-roles-with-saml/outputs.tf
+++ b/examples/iam-assumable-roles-with-saml/outputs.tf
 # Admin
 output "admin_iam_role_arn" {
  description = "ARN of admin IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.admin_iam_role_arn}"
+  value       = module.iam_assumable_roles_with_saml.admin_iam_role_arn
 }
 output "admin_iam_role_name" {
  description = "Name of admin IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.admin_iam_role_name}"
+  value       = module.iam_assumable_roles_with_saml.admin_iam_role_name
 }
 output "admin_iam_role_path" {
  description = "Path of admin IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.admin_iam_role_path}"
+  value       = module.iam_assumable_roles_with_saml.admin_iam_role_path
 }
 # Poweruser
 output "poweruser_iam_role_arn" {
  description = "ARN of poweruser IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.poweruser_iam_role_arn}"
+  value       = module.iam_assumable_roles_with_saml.poweruser_iam_role_arn
 }
 output "poweruser_iam_role_name" {
  description = "Name of poweruser IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.poweruser_iam_role_name}"
+  value       = module.iam_assumable_roles_with_saml.poweruser_iam_role_name
 }
 output "poweruser_iam_role_path" {
  description = "Path of poweruser IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.poweruser_iam_role_path}"
+  value       = module.iam_assumable_roles_with_saml.poweruser_iam_role_path
 }
 # Readonly
 output "readonly_iam_role_arn" {
  description = "ARN of readonly IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.readonly_iam_role_arn}"
+  value       = module.iam_assumable_roles_with_saml.readonly_iam_role_arn
 }
 output "readonly_iam_role_name" {
  description = "Name of readonly IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.readonly_iam_role_name}"
+  value       = module.iam_assumable_roles_with_saml.readonly_iam_role_name
 }
 output "readonly_iam_role_path" {
  description = "Path of readonly IAM role"
-  value       = "${module.iam_assumable_roles_with_saml.readonly_iam_role_path}"
+  value       = module.iam_assumable_roles_with_saml.readonly_iam_role_path
 }
--- a/examples/iam-assumable-roles/outputs.tf
+++ b/examples/iam-assumable-roles/outputs.tf
 # Admin
 output "admin_iam_role_arn" {
  description = "ARN of admin IAM role"
-  value       = "${module.iam_assumable_roles.admin_iam_role_arn}"
+  value       = module.iam_assumable_roles.admin_iam_role_arn
 }
 output "admin_iam_role_name" {
  description = "Name of admin IAM role"
-  value       = "${module.iam_assumable_roles.admin_iam_role_name}"
+  value       = module.iam_assumable_roles.admin_iam_role_name
 }
 output "admin_iam_role_requires_mfa" {
  description = "Whether admin IAM role requires MFA"
-  value       = "${module.iam_assumable_roles.admin_iam_role_requires_mfa}"
+  value       = module.iam_assumable_roles.admin_iam_role_requires_mfa
 }
 output "admin_iam_role_path" {
  description = "Path of admin IAM role"
-  value       = "${module.iam_assumable_roles.admin_iam_role_path}"
+  value       = module.iam_assumable_roles.admin_iam_role_path
 }
 # Poweruser
 output "poweruser_iam_role_arn" {
  description = "ARN of poweruser IAM role"
-  value       = "${module.iam_assumable_roles.poweruser_iam_role_arn}"
+  value       = module.iam_assumable_roles.poweruser_iam_role_arn
 }
 output "poweruser_iam_role_name" {
  description = "Name of poweruser IAM role"
-  value       = "${module.iam_assumable_roles.poweruser_iam_role_name}"
+  value       = module.iam_assumable_roles.poweruser_iam_role_name
 }
 output "poweruser_iam_role_requires_mfa" {
  description = "Whether poweruser IAM role requires MFA"
-  value       = "${module.iam_assumable_roles.poweruser_iam_role_requires_mfa}"
+  value       = module.iam_assumable_roles.poweruser_iam_role_requires_mfa
 }
 output "poweruser_iam_role_path" {
  description = "Path of poweruser IAM role"
-  value       = "${module.iam_assumable_roles.poweruser_iam_role_path}"
+  value       = module.iam_assumable_roles.poweruser_iam_role_path
 }
 # Readonly
 output "readonly_iam_role_arn" {
  description = "ARN of readonly IAM role"
-  value       = "${module.iam_assumable_roles.readonly_iam_role_arn}"
+  value       = module.iam_assumable_roles.readonly_iam_role_arn
 }
 output "readonly_iam_role_name" {
  description = "Name of readonly IAM role"
-  value       = "${module.iam_assumable_roles.readonly_iam_role_name}"
+  value       = module.iam_assumable_roles.readonly_iam_role_name
 }
 output "readonly_iam_role_path" {
  description = "Path of readonly IAM role"
-  value       = "${module.iam_assumable_roles.readonly_iam_role_path}"
+  value       = module.iam_assumable_roles.readonly_iam_role_path
 }
 output "readonly_iam_role_requires_mfa" {
  description = "Whether readonly IAM role requires MFA"
-  value       = "${module.iam_assumable_roles.readonly_iam_role_requires_mfa}"
+  value       = module.iam_assumable_roles.readonly_iam_role_requires_mfa
 }
--- a/examples/iam-group-complete/main.tf
+++ b/examples/iam-group-complete/main.tf
@@ -30,8 +30,8 @@ module "iam_group_complete" {
  assumable_roles = ["arn:aws:iam::111111111111:role/admin"]
  group_users = [
-    "${module.iam_user1.this_iam_user_name}",
+    module.iam_user1.this_iam_user_name,
-    "${module.iam_user2.this_iam_user_name}",
+    module.iam_user2.this_iam_user_name,
  ]
 }
@@ -41,7 +41,7 @@ module "iam_group_complete" {
 module "iam_group_complete_with_custom_policy" {
  source = "../../modules/iam-group-with-policies"
-  name = "${module.iam_group_complete.group_name}"
+  name = module.iam_group_complete.group_name
  create_group = false

--- a/examples/iam-group-complete/outputs.tf
+++ b/examples/iam-group-complete/outputs.tf
 output "this_group_users" {
  description = "List of IAM users in IAM group"
-  value       = ["${module.iam_group_complete.this_group_users}"]
+  value       = module.iam_group_complete.this_group_users
 }
 output "this_assumable_roles" {
  description = "List of ARNs of IAM roles which members of IAM group can assume"
-  value       = ["${module.iam_group_complete.this_assumable_roles}"]
+  value       = module.iam_group_complete.this_assumable_roles
 }
 output "this_policy_arn" {
  description = "Assume role policy ARN for IAM group"
-  value       = "${module.iam_group_complete.this_policy_arn}"
+  value       = module.iam_group_complete.this_policy_arn
 }
--- a/examples/iam-group-with-assumable-roles-policy/main.tf
+++ b/examples/iam-group-with-assumable-roles-policy/main.tf
@@ -92,11 +92,11 @@ module "iam_group_with_assumable_roles_policy_production_readonly" {
  name = "production-readonly"
-  assumable_roles = ["${module.iam_assumable_roles_in_prod.readonly_iam_role_arn}"]
+  assumable_roles = [module.iam_assumable_roles_in_prod.readonly_iam_role_arn]
  group_users = [
-    "${module.iam_user1.this_iam_user_name}",
+    module.iam_user1.this_iam_user_name,
-    "${module.iam_user2.this_iam_user_name}",
+    module.iam_user2.this_iam_user_name,
  ]
 }
@@ -109,10 +109,10 @@ module "iam_group_with_assumable_roles_policy_production_admin" {
  name = "production-admin"
-  assumable_roles = ["${module.iam_assumable_roles_in_prod.admin_iam_role_arn}"]
+  assumable_roles = [module.iam_assumable_roles_in_prod.admin_iam_role_arn]
  group_users = [
-    "${module.iam_user1.this_iam_user_name}",
+    module.iam_user1.this_iam_user_name,
  ]
 }
@@ -125,9 +125,9 @@ module "iam_group_with_assumable_roles_policy_production_custom" {
  name = "production-custom"
-  assumable_roles = ["${module.iam_assumable_role_custom.this_iam_role_arn}"]
+  assumable_roles = [module.iam_assumable_role_custom.this_iam_role_arn]
  group_users = [
-    "${module.iam_user2.this_iam_user_name}",
+    module.iam_user2.this_iam_user_name,
  ]
 }
--- a/examples/iam-group-with-assumable-roles-policy/outputs.tf
+++ b/examples/iam-group-with-assumable-roles-policy/outputs.tf
 output "iam_account_id" {
  description = "IAM AWS account id (this code is managing resources in this account)"
-  value       = "${data.aws_caller_identity.iam.account_id}"
+  value       = data.aws_caller_identity.iam.account_id
 }
 output "production_account_id" {
  description = "Production AWS account id"
-  value       = "${data.aws_caller_identity.production.account_id}"
+  value       = data.aws_caller_identity.production.account_id
 }
 output "this_group_users" {
  description = "List of IAM users in IAM group"
-  value       = ["${module.iam_group_with_assumable_roles_policy_production_readonly.this_group_users}"]
+  value       = module.iam_group_with_assumable_roles_policy_production_readonly.this_group_users
 }
 output "this_assumable_roles" {
  description = "List of ARNs of IAM roles which members of IAM group can assume"
-  value       = ["${module.iam_group_with_assumable_roles_policy_production_readonly.this_assumable_roles}"]
+  value       = module.iam_group_with_assumable_roles_policy_production_readonly.this_assumable_roles
 }
 output "this_policy_arn" {
  description = "Assume role policy ARN for IAM group"
-  value       = "${module.iam_group_with_assumable_roles_policy_production_readonly.this_policy_arn}"
+  value       = module.iam_group_with_assumable_roles_policy_production_readonly.this_policy_arn
 }
--- a/examples/iam-group-with-policies/main.tf
+++ b/examples/iam-group-with-policies/main.tf
@@ -28,8 +28,8 @@ module "iam_group_superadmins" {
  name = "superadmins"
  group_users = [
-    "${module.iam_user1.this_iam_user_name}",
+    module.iam_user1.this_iam_user_name,
-    "${module.iam_user2.this_iam_user_name}",
+    module.iam_user2.this_iam_user_name,
  ]
  custom_group_policy_arns = [
@@ -46,8 +46,8 @@ module "iam_group_with_custom_policies" {
  name = "custom"
  group_users = [
-    "${module.iam_user1.this_iam_user_name}",
+    module.iam_user1.this_iam_user_name,
-    "${module.iam_user2.this_iam_user_name}",
+    module.iam_user2.this_iam_user_name,
  ]
  custom_group_policy_arns = [
@@ -58,7 +58,7 @@ module "iam_group_with_custom_policies" {
  custom_group_policies = [
    {
      name   = "AllowS3Listing"
-      policy = "${data.aws_iam_policy_document.sample.json}"
+      policy = data.aws_iam_policy_document.sample.json
    },
  ]
 }

--- a/examples/iam-group-with-policies/outputs.tf
+++ b/examples/iam-group-with-policies/outputs.tf
 output "iam_account_id" {
  description = "IAM AWS account id"
-  value       = "${module.iam_group_superadmins.aws_account_id}"
+  value       = module.iam_group_superadmins.aws_account_id
 }
 output "this_group_users" {
  description = "List of IAM users in IAM group"
-  value       = ["${module.iam_group_superadmins.this_group_users}"]
+  value       = module.iam_group_superadmins.this_group_users
 }
 output "this_group_name" {
  description = "IAM group name"
-  value       = "${module.iam_group_superadmins.this_group_name}"
+  value       = module.iam_group_superadmins.this_group_name
 }
--- a/examples/iam-policy/main.tf
+++ b/examples/iam-policy/main.tf
@@ -5,7 +5,7 @@ provider "aws" {
 data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid       = "AllowFullS3Access"
-    actions   = ["s3:ListBuckets"]
+    actions   = ["s3:ListAllMyBuckets"]
    resources = ["*"]
  }
 }
@@ -43,5 +43,5 @@ module "iam_policy_from_data_source" {
  path = "/"
  description = "My example policy"
-  policy = "${data.aws_iam_policy_document.bucket_policy.json}"
+  policy = data.aws_iam_policy_document.bucket_policy.json
 }
--- a/examples/iam-policy/outputs.tf
+++ b/examples/iam-policy/outputs.tf
 output "id" {
  description = "The policy ID"
-  value       = "${module.iam_policy.id}"
+  value       = module.iam_policy.id
 }
 output "arn" {
  description = "The ARN assigned by AWS to this policy"
-  value       = "${module.iam_policy.arn}"
+  value       = module.iam_policy.arn
 }
 output "description" {
  description = "The description of the policy"
-  value       = "${module.iam_policy.description}"
+  value       = module.iam_policy.description
 }
 output "name" {
  description = "The name of the policy"
-  value       = "${module.iam_policy.name}"
+  value       = module.iam_policy.name
 }
 output "path" {
  description = "The path of the policy in IAM"
-  value       = "${module.iam_policy.path}"
+  value       = module.iam_policy.path
 }
 output "policy" {
  description = "The policy document"
-  value       = "${module.iam_policy.policy}"
+  value       = module.iam_policy.policy
 }
--- a/examples/iam-user/outputs.tf
+++ b/examples/iam-user/outputs.tf
 output "this_iam_user_name" {
  description = "The user's name"
-  value       = "${module.iam_user.this_iam_user_name}"
+  value       = module.iam_user.this_iam_user_name
 }
 output "this_iam_user_arn" {
  description = "The ARN assigned by AWS for this user"
-  value       = "${module.iam_user.this_iam_user_arn}"
+  value       = module.iam_user.this_iam_user_arn
 }
 output "this_iam_user_unique_id" {
  description = "The unique ID assigned by AWS"
-  value       = "${module.iam_user.this_iam_user_unique_id}"
+  value       = module.iam_user.this_iam_user_unique_id
 }
 output "this_iam_user_login_profile_key_fingerprint" {
  description = "The fingerprint of the PGP key used to encrypt the password"
-  value       = "${module.iam_user.this_iam_user_login_profile_key_fingerprint}"
+  value       = module.iam_user.this_iam_user_login_profile_key_fingerprint
 }
 output "this_iam_user_login_profile_encrypted_password" {
  description = "The encrypted password, base64 encoded"
-  value       = "${module.iam_user.this_iam_user_login_profile_encrypted_password}"
+  value       = module.iam_user.this_iam_user_login_profile_encrypted_password
 }
 output "this_iam_access_key_id" {
  description = "The access key ID"
-  value       = "${module.iam_user.this_iam_access_key_id}"
+  value       = module.iam_user.this_iam_access_key_id
 }
 output "this_iam_access_key_key_fingerprint" {
  description = "The fingerprint of the PGP key used to encrypt the secret"
-  value       = "${module.iam_user.this_iam_access_key_key_fingerprint}"
+  value       = module.iam_user.this_iam_access_key_key_fingerprint
 }
 output "this_iam_access_key_encrypted_secret" {
  description = "The encrypted secret, base64 encoded"
-  value       = "${module.iam_user.this_iam_access_key_encrypted_secret}"
+  value       = module.iam_user.this_iam_access_key_encrypted_secret
 }
 output "this_iam_access_key_secret" {
  description = "The access key secret"
-  value       = "${module.iam_user.this_iam_access_key_secret}"
+  value       = module.iam_user.this_iam_access_key_secret
 }
 output "this_iam_access_key_ses_smtp_password" {
  description = "The secret access key converted into an SES SMTP password"
-  value       = "${module.iam_user.this_iam_access_key_ses_smtp_password}"
+  value       = module.iam_user.this_iam_access_key_ses_smtp_password
 }
 output "this_iam_access_key_status" {
  description = "Active or Inactive. Keys are initially active, but can be made inactive by other means."
-  value       = "${module.iam_user.this_iam_access_key_status}"
+  value       = module.iam_user.this_iam_access_key_status
 }
 output "pgp_key" {
  description = "PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted)"
-  value       = "${module.iam_user.pgp_key}"
+  value       = module.iam_user.pgp_key
 }
 output "keybase_password_decrypt_command" {
-  value = "${module.iam_user.keybase_password_decrypt_command}"
+  value = module.iam_user.keybase_password_decrypt_command
 }
 output "keybase_password_pgp_message" {
-  value = "${module.iam_user.keybase_password_pgp_message}"
+  value = module.iam_user.keybase_password_pgp_message
 }
 output "keybase_secret_key_decrypt_command" {
-  value = "${module.iam_user.keybase_secret_key_decrypt_command}"
+  value = module.iam_user.keybase_secret_key_decrypt_command
 }
 output "keybase_secret_key_pgp_message" {
-  value = "${module.iam_user.keybase_secret_key_pgp_message}"
+  value = module.iam_user.keybase_secret_key_pgp_message
 }
--- a/modules/iam-account/main.tf
+++ b/modules/iam-account/main.tf
 data "aws_caller_identity" "this" {
-  count = "${var.get_caller_identity}"
+  count = var.get_caller_identity ? 1 : 0
 }
 resource "aws_iam_account_alias" "this" {
-  account_alias = "${var.account_alias}"
+  account_alias = var.account_alias
 }
 resource "aws_iam_account_password_policy" "this" {
-  count = "${var.create_account_password_policy ? 1 : 0}"
+  count = var.create_account_password_policy ? 1 : 0
-  max_password_age               = "${var.max_password_age}"
+  max_password_age               = var.max_password_age
-  minimum_password_length        = "${var.minimum_password_length}"
+  minimum_password_length        = var.minimum_password_length
-  allow_users_to_change_password = "${var.allow_users_to_change_password}"
+  allow_users_to_change_password = var.allow_users_to_change_password
-  hard_expiry                    = "${var.hard_expiry}"
+  hard_expiry                    = var.hard_expiry
-  password_reuse_prevention      = "${var.password_reuse_prevention}"
+  password_reuse_prevention      = var.password_reuse_prevention
-  require_lowercase_characters   = "${var.require_lowercase_characters}"
+  require_lowercase_characters   = var.require_lowercase_characters
-  require_uppercase_characters   = "${var.require_uppercase_characters}"
+  require_uppercase_characters   = var.require_uppercase_characters
-  require_numbers                = "${var.require_numbers}"
+  require_numbers                = var.require_numbers
-  require_symbols                = "${var.require_symbols}"
+  require_symbols                = var.require_symbols
 }
--- a/modules/iam-account/outputs.tf
+++ b/modules/iam-account/outputs.tf
 output "this_caller_identity_account_id" {
  description = "The AWS Account ID number of the account that owns or contains the calling entity"
-  value       = "${element(concat(data.aws_caller_identity.this.*.account_id, list("")), 0)}"
+  value       = element(concat(data.aws_caller_identity.this.*.account_id, [""]), 0)
 }
 output "this_caller_identity_arn" {
  description = "The AWS ARN associated with the calling entity"
-  value       = "${element(concat(data.aws_caller_identity.this.*.arn, list("")), 0)}"
+  value       = element(concat(data.aws_caller_identity.this.*.arn, [""]), 0)
 }
 output "this_caller_identity_user_id" {
  description = "The unique identifier of the calling entity"
-  value       = "${element(concat(data.aws_caller_identity.this.*.user_id, list("")), 0)}"
+  value       = element(concat(data.aws_caller_identity.this.*.user_id, [""]), 0)
 }
 output "this_iam_account_password_policy_expire_passwords" {
  description = "Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present."
-  value       = "${element(concat(aws_iam_account_password_policy.this.*.expire_passwords, list("")), 0)}"
+  value       = element(concat(aws_iam_account_password_policy.this.*.expire_passwords, [""]), 0)
 }
--- a/modules/iam-account/variables.tf
+++ b/modules/iam-account/variables.tf
 variable "get_caller_identity" {
  description = "Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized"
+  type        = bool
  default     = true
 }
 variable "account_alias" {
  description = "AWS IAM account alias for this account"
+  type        = string
 }
 variable "create_account_password_policy" {
  description = "Whether to create AWS IAM account password policy"
+  type        = bool
  default     = true
 }
 variable "max_password_age" {
  description = "The number of days that an user password is valid."
+  type        = number
  default     = 0
 }
 variable "minimum_password_length" {
  description = "Minimum length to require for user passwords"
+  type        = number
  default     = 8
 }
 variable "allow_users_to_change_password" {
  description = "Whether to allow users to change their own password"
+  type        = bool
  default     = true
 }
 variable "hard_expiry" {
  description = "Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)"
+  type        = bool
  default     = false
 }
 variable "password_reuse_prevention" {
  description = "The number of previous passwords that users are prevented from reusing"
-  default     = true
+  type        = number
+  default     = null
 }
 variable "require_lowercase_characters" {
  description = "Whether to require lowercase characters for user passwords"
+  type        = bool
  default     = true
 }
 variable "require_uppercase_characters" {
  description = "Whether to require uppercase characters for user passwords"
+  type        = bool
  default     = true
 }
 variable "require_numbers" {
  description = "Whether to require numbers for user passwords"
+  type        = bool
  default     = true
 }
 variable "require_symbols" {
  description = "Whether to require symbols for user passwords"
+  type        = bool
  default     = true
 }
--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -6,7 +6,7 @@ data "aws_iam_policy_document" "assume_role" {
    principals {
      type        = "AWS"
-      identifiers = ["${var.trusted_role_arns}"]
+      identifiers = var.trusted_role_arns
    }
  }
 }
@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
    principals {
      type        = "AWS"
-      identifiers = ["${var.trusted_role_arns}"]
+      identifiers = var.trusted_role_arns
    }
    condition {
@@ -31,49 +31,50 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
    condition {
      test     = "NumericLessThan"
      variable = "aws:MultiFactorAuthAge"
-      values   = ["${var.mfa_age}"]
+      values   = [var.mfa_age]
    }
  }
 }
 resource "aws_iam_role" "this" {
-  count = "${var.create_role ? 1 : 0}"
+  count = var.create_role ? 1 : 0
-  name                 = "${var.role_name}"
+  name                 = var.role_name
-  path                 = "${var.role_path}"
+  path                 = var.role_path
-  max_session_duration = "${var.max_session_duration}"
+  max_session_duration = var.max_session_duration
-  permissions_boundary = "${var.role_permissions_boundary_arn}"
+  permissions_boundary = var.role_permissions_boundary_arn
-  assume_role_policy = "${var.role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+  assume_role_policy = var.role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json
-  tags = "${var.tags}"
+  tags = var.tags
 }
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = "${var.create_role && length(var.custom_role_policy_arns) > 0 ? length(var.custom_role_policy_arns) : 0}"
+  count = var.create_role && length(var.custom_role_policy_arns) > 0 ? length(var.custom_role_policy_arns) : 0
-  role       = "${aws_iam_role.this.name}"
+  role       = aws_iam_role.this[0].name
-  policy_arn = "${element(var.custom_role_policy_arns, count.index)}"
+  policy_arn = element(var.custom_role_policy_arns, count.index)
 }
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = "${var.create_role && var.attach_admin_policy ? 1 : 0}"
+  count = var.create_role && var.attach_admin_policy ? 1 : 0
-  role       = "${aws_iam_role.this.name}"
+  role       = aws_iam_role.this[0].name
-  policy_arn = "${var.admin_role_policy_arn}"
+  policy_arn = var.admin_role_policy_arn
 }
 resource "aws_iam_role_policy_attachment" "poweruser" {
-  count = "${var.create_role && var.attach_poweruser_policy ? 1 : 0}"
+  count = var.create_role && var.attach_poweruser_policy ? 1 : 0
-  role       = "${aws_iam_role.this.name}"
+  role       = aws_iam_role.this[0].name
-  policy_arn = "${var.poweruser_role_policy_arn}"
+  policy_arn = var.poweruser_role_policy_arn
 }
 resource "aws_iam_role_policy_attachment" "readonly" {
-  count = "${var.create_role && var.attach_readonly_policy ? 1 : 0}"
+  count = var.create_role && var.attach_readonly_policy ? 1 : 0
-  role       = "${aws_iam_role.this.name}"
+  role       = aws_iam_role.this[0].name
-  policy_arn = "${var.readonly_role_policy_arn}"
+  policy_arn = var.readonly_role_policy_arn
 }
--- a/modules/iam-assumable-role/outputs.tf
+++ b/modules/iam-assumable-role/outputs.tf
 output "this_iam_role_arn" {
  description = "ARN of IAM role"
-  value       = "${element(concat(aws_iam_role.this.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_role.this.*.arn, [""]), 0)
 }
 output "this_iam_role_name" {
  description = "Name of IAM role"
-  value       = "${element(concat(aws_iam_role.this.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_role.this.*.name, [""]), 0)
 }
 output "this_iam_role_path" {
  description = "Path of IAM role"
-  value       = "${element(concat(aws_iam_role.this.*.path, list("")), 0)}"
+  value       = element(concat(aws_iam_role.this.*.path, [""]), 0)
 }
 output "role_requires_mfa" {
  description = "Whether IAM role requires MFA"
-  value       = "${var.role_requires_mfa}"
+  value       = var.role_requires_mfa
 }
--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
 variable "trusted_role_arns" {
  description = "ARNs of AWS entities who can assume these roles"
+  type        = list(string)
  default     = []
 }
 variable "mfa_age" {
  description = "Max age of valid MFA (in seconds) for roles which require MFA"
+  type        = number
  default     = 86400
 }
 variable "max_session_duration" {
  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
+  type        = number
  default     = 3600
 }
 variable "create_role" {
  description = "Whether to create a role"
+  type        = bool
  default     = false
 }
 variable "role_name" {
  description = "IAM role name"
+  type        = string
  default     = ""
 }
 variable "role_path" {
  description = "Path of IAM role"
+  type        = string
  default     = "/"
 }
 variable "role_requires_mfa" {
  description = "Whether role requires MFA"
+  type        = bool
  default     = true
 }
 variable "role_permissions_boundary_arn" {
  description = "Permissions boundary ARN to use for IAM role"
+  type        = string
  default     = ""
 }
+variable "tags" {
+  description = "A map of tags to add to IAM role resources"
+  type        = map(string)
+  default     = {}
+}
 variable "custom_role_policy_arns" {
  description = "List of ARNs of IAM policies to attach to IAM role"
+  type        = list(string)
  default     = []
 }
 # Pre-defined policies
 variable "admin_role_policy_arn" {
  description = "Policy ARN to use for admin role"
+  type        = string
  default     = "arn:aws:iam::aws:policy/AdministratorAccess"
 }
 variable "poweruser_role_policy_arn" {
  description = "Policy ARN to use for poweruser role"
+  type        = string
  default     = "arn:aws:iam::aws:policy/PowerUserAccess"
 }
 variable "readonly_role_policy_arn" {
  description = "Policy ARN to use for readonly role"
+  type        = string
  default     = "arn:aws:iam::aws:policy/ReadOnlyAccess"
 }
 variable "attach_admin_policy" {
  description = "Whether to attach an admin policy to a role"
+  type        = bool
  default     = false
 }
 variable "attach_poweruser_policy" {
  description = "Whether to attach a poweruser policy to a role"
+  type        = bool
  default     = false
 }
 variable "attach_readonly_policy" {
  description = "Whether to attach a readonly policy to a role"
+  type        = bool
  default     = false
 }
-variable "tags" {
-  description = "A map of tags to add to all resources."
-  type        = "map"
-  default     = {}
-}
--- a/modules/iam-assumable-roles-with-saml/main.tf
+++ b/modules/iam-assumable-roles-with-saml/main.tf
@@ -6,79 +6,79 @@ data "aws_iam_policy_document" "assume_role_with_saml" {
    principals {
      type        = "Federated"
-      identifiers = ["${var.provider_id}"]
+      identifiers = [var.provider_id]
    }
    condition {
      test     = "StringEquals"
      variable = "SAML:aud"
-      values   = ["${var.aws_saml_endpoint}"]
+      values   = [var.aws_saml_endpoint]
    }
  }
 }
 # Admin
 resource "aws_iam_role" "admin" {
-  count = "${var.create_admin_role ? 1 : 0}"
+  count = var.create_admin_role ? 1 : 0
-  name                 = "${var.admin_role_name}"
+  name                 = var.admin_role_name
-  path                 = "${var.admin_role_path}"
+  path                 = var.admin_role_path
-  max_session_duration = "${var.max_session_duration}"
+  max_session_duration = var.max_session_duration
-  permissions_boundary = "${var.admin_role_permissions_boundary_arn}"
+  permissions_boundary = var.admin_role_permissions_boundary_arn
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
-  tags = "${var.admin_role_tags}"
+  tags = var.admin_role_tags
 }
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = "${var.create_admin_role ? length(var.admin_role_policy_arns) : 0}"
+  count = var.create_admin_role ? length(var.admin_role_policy_arns) : 0
-  role       = "${aws_iam_role.admin.name}"
+  role       = aws_iam_role.admin[0].name
-  policy_arn = "${element(var.admin_role_policy_arns, count.index)}"
+  policy_arn = element(var.admin_role_policy_arns, count.index)
 }
 # Poweruser
 resource "aws_iam_role" "poweruser" {
-  count = "${var.create_poweruser_role ? 1 : 0}"
+  count = var.create_poweruser_role ? 1 : 0
-  name                 = "${var.poweruser_role_name}"
+  name                 = var.poweruser_role_name
-  path                 = "${var.poweruser_role_path}"
+  path                 = var.poweruser_role_path
-  max_session_duration = "${var.max_session_duration}"
+  max_session_duration = var.max_session_duration
-  permissions_boundary = "${var.poweruser_role_permissions_boundary_arn}"
+  permissions_boundary = var.poweruser_role_permissions_boundary_arn
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
-  tags = "${var.poweruser_role_tags}"
+  tags = var.poweruser_role_tags
 }
 resource "aws_iam_role_policy_attachment" "poweruser" {
-  count = "${var.create_poweruser_role ? length(var.poweruser_role_policy_arns) : 0}"
+  count = var.create_poweruser_role ? length(var.poweruser_role_policy_arns) : 0
-  role       = "${aws_iam_role.poweruser.name}"
+  role       = aws_iam_role.poweruser[0].name
-  policy_arn = "${element(var.poweruser_role_policy_arns, count.index)}"
+  policy_arn = element(var.poweruser_role_policy_arns, count.index)
 }
 # Readonly
 resource "aws_iam_role" "readonly" {
-  count = "${var.create_readonly_role ? 1 : 0}"
+  count = var.create_readonly_role ? 1 : 0
-  name                 = "${var.readonly_role_name}"
+  name                 = var.readonly_role_name
-  path                 = "${var.readonly_role_path}"
+  path                 = var.readonly_role_path
-  max_session_duration = "${var.max_session_duration}"
+  max_session_duration = var.max_session_duration
-  permissions_boundary = "${var.readonly_role_permissions_boundary_arn}"
+  permissions_boundary = var.readonly_role_permissions_boundary_arn
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
-  tags = "${var.readonly_role_tags}"
+  tags = var.readonly_role_tags
 }
 resource "aws_iam_role_policy_attachment" "readonly" {
-  count = "${var.create_readonly_role ? length(var.readonly_role_policy_arns) : 0}"
+  count = var.create_readonly_role ? length(var.readonly_role_policy_arns) : 0
-  role       = "${aws_iam_role.readonly.name}"
+  role       = aws_iam_role.readonly[0].name
-  policy_arn = "${element(var.readonly_role_policy_arns, count.index)}"
+  policy_arn = element(var.readonly_role_policy_arns, count.index)
 }
--- a/modules/iam-assumable-roles-with-saml/outputs.tf
+++ b/modules/iam-assumable-roles-with-saml/outputs.tf
 #Admin
 output "admin_iam_role_arn" {
  description = "ARN of admin IAM role"
-  value       = "${element(concat(aws_iam_role.admin.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_role.admin.*.arn, list("")), 0)
 }
 output "admin_iam_role_name" {
  description = "Name of admin IAM role"
-  value       = "${element(concat(aws_iam_role.admin.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_role.admin.*.name, list("")), 0)
 }
 output "admin_iam_role_path" {
  description = "Path of admin IAM role"
-  value       = "${element(concat(aws_iam_role.admin.*.path, list("")), 0)}"
+  value       = element(concat(aws_iam_role.admin.*.path, list("")), 0)
 }
 output "poweruser_iam_role_arn" {
  description = "ARN of poweruser IAM role"
-  value       = "${element(concat(aws_iam_role.poweruser.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_role.poweruser.*.arn, list("")), 0)
 }
 output "poweruser_iam_role_name" {
  description = "Name of poweruser IAM role"
-  value       = "${element(concat(aws_iam_role.poweruser.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_role.poweruser.*.name, list("")), 0)
 }
 output "poweruser_iam_role_path" {
  description = "Path of poweruser IAM role"
-  value       = "${element(concat(aws_iam_role.poweruser.*.path, list("")), 0)}"
+  value       = element(concat(aws_iam_role.poweruser.*.path, list("")), 0)
 }
 # Readonly
 output "readonly_iam_role_arn" {
  description = "ARN of readonly IAM role"
-  value       = "${element(concat(aws_iam_role.readonly.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_role.readonly.*.arn, list("")), 0)
 }
 output "readonly_iam_role_name" {
  description = "Name of readonly IAM role"
-  value       = "${element(concat(aws_iam_role.readonly.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_role.readonly.*.name, list("")), 0)
 }
 output "readonly_iam_role_path" {
  description = "Path of readonly IAM role"
-  value       = "${element(concat(aws_iam_role.readonly.*.path, list("")), 0)}"
+  value       = element(concat(aws_iam_role.readonly.*.path, list("")), 0)
 }
--- a/modules/iam-assumable-roles-with-saml/variables.tf
+++ b/modules/iam-assumable-roles-with-saml/variables.tf
 variable "provider_name" {
  description = "Name of the SAML Provider"
+  type        = string
 }
 variable "provider_id" {
  description = "ID of the SAML Provider"
+  type        = string
 }
 variable "aws_saml_endpoint" {
  description = "AWS SAML Endpoint"
-  default     = ["https://signin.aws.amazon.com/saml"]
+  default     = "https://signin.aws.amazon.com/saml"
-  type        = "list"
+  type        = string
 }
 # Admin
 variable "create_admin_role" {
  description = "Whether to create admin role"
+  type        = bool
  default     = false
 }
 variable "admin_role_name" {
  description = "IAM role with admin access"
+  type        = string
  default     = "admin"
 }
 variable "admin_role_path" {
  description = "Path of admin IAM role"
+  type        = string
  default     = "/"
 }
 variable "admin_role_policy_arns" {
  description = "List of policy ARNs to use for admin role"
-  type        = "list"
+  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/AdministratorAccess"]
 }
 variable "admin_role_permissions_boundary_arn" {
  description = "Permissions boundary ARN to use for admin role"
+  type        = string
  default     = ""
 }
 variable "admin_role_tags" {
  description = "A map of tags to add to admin role resource."
-  type        = "map"
+  type        = map(string)
  default     = {}
 }
 # Poweruser
 variable "create_poweruser_role" {
  description = "Whether to create poweruser role"
+  type        = bool
  default     = false
 }
 variable "poweruser_role_name" {
  description = "IAM role with poweruser access"
+  type        = string
  default     = "poweruser"
 }
 variable "poweruser_role_path" {
  description = "Path of poweruser IAM role"
+  type        = string
  default     = "/"
 }
 variable "poweruser_role_policy_arns" {
  description = "List of policy ARNs to use for poweruser role"
-  type        = "list"
+  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/PowerUserAccess"]
 }
 variable "poweruser_role_permissions_boundary_arn" {
  description = "Permissions boundary ARN to use for poweruser role"
+  type        = string
  default     = ""
 }
 variable "poweruser_role_tags" {
  description = "A map of tags to add to poweruser role resource."
-  type        = "map"
+  type        = map(string)
  default     = {}
 }
 # Readonly
 variable "create_readonly_role" {
  description = "Whether to create readonly role"
+  type        = bool
  default     = false
 }
 variable "readonly_role_name" {
  description = "IAM role with readonly access"
+  type        = string
  default     = "readonly"
 }
 variable "readonly_role_path" {
  description = "Path of readonly IAM role"
+  type        = string
  default     = "/"
 }
 variable "readonly_role_policy_arns" {
  description = "List of policy ARNs to use for readonly role"
-  type        = "list"
+  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
 }
 variable "readonly_role_permissions_boundary_arn" {
  description = "Permissions boundary ARN to use for readonly role"
+  type        = string
  default     = ""
 }
 variable "readonly_role_tags" {
  description = "A map of tags to add to readonly role resource."
-  type        = "map"
+  type        = map(string)
  default     = {}
 }
 variable "max_session_duration" {
  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
+  type        = number
  default     = 3600
 }
--- a/modules/iam-assumable-roles/main.tf
+++ b/modules/iam-assumable-roles/main.tf
@@ -6,7 +6,7 @@ data "aws_iam_policy_document" "assume_role" {
    principals {
      type        = "AWS"
-      identifiers = ["${var.trusted_role_arns}"]
+      identifiers = var.trusted_role_arns
    }
  }
 }
@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
    principals {
      type        = "AWS"
-      identifiers = ["${var.trusted_role_arns}"]
+      identifiers = var.trusted_role_arns
    }
    condition {
@@ -31,73 +31,74 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
    condition {
      test     = "NumericLessThan"
      variable = "aws:MultiFactorAuthAge"
-      values   = ["${var.mfa_age}"]
+      values   = [var.mfa_age]
    }
  }
 }
 # Admin
 resource "aws_iam_role" "admin" {
-  count = "${var.create_admin_role ? 1 : 0}"
+  count = var.create_admin_role ? 1 : 0
-  name                 = "${var.admin_role_name}"
+  name                 = var.admin_role_name
-  path                 = "${var.admin_role_path}"
+  path                 = var.admin_role_path
-  max_session_duration = "${var.max_session_duration}"
+  max_session_duration = var.max_session_duration
-  permissions_boundary = "${var.admin_role_permissions_boundary_arn}"
+  permissions_boundary = var.admin_role_permissions_boundary_arn
-  assume_role_policy = "${var.admin_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+  assume_role_policy = var.admin_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json
-  tags = "${var.admin_role_tags}"
+  tags = var.admin_role_tags
 }
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = "${var.create_admin_role ? length(var.admin_role_policy_arns) : 0}"
+  count = var.create_admin_role ? length(var.admin_role_policy_arns) : 0
-  role       = "${aws_iam_role.admin.name}"
+  role       = aws_iam_role.admin[0].name
-  policy_arn = "${element(var.admin_role_policy_arns, count.index)}"
+  policy_arn = element(var.admin_role_policy_arns, count.index)
 }
 # Poweruser
 resource "aws_iam_role" "poweruser" {
-  count = "${var.create_poweruser_role ? 1 : 0}"
+  count = var.create_poweruser_role ? 1 : 0
-  name                 = "${var.poweruser_role_name}"
+  name                 = var.poweruser_role_name
-  path                 = "${var.poweruser_role_path}"
+  path                 = var.poweruser_role_path
-  max_session_duration = "${var.max_session_duration}"
+  max_session_duration = var.max_session_duration
-  permissions_boundary = "${var.poweruser_role_permissions_boundary_arn}"
+  permissions_boundary = var.poweruser_role_permissions_boundary_arn
-  assume_role_policy = "${var.poweruser_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+  assume_role_policy = var.poweruser_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json
-  tags = "${var.poweruser_role_tags}"
+  tags = var.poweruser_role_tags
 }
 resource "aws_iam_role_policy_attachment" "poweruser" {
-  count = "${var.create_poweruser_role ? length(var.poweruser_role_policy_arns) : 0}"
+  count = var.create_poweruser_role ? length(var.poweruser_role_policy_arns) : 0
-  role       = "${aws_iam_role.poweruser.name}"
+  role       = aws_iam_role.poweruser[0].name
-  policy_arn = "${element(var.poweruser_role_policy_arns, count.index)}"
+  policy_arn = element(var.poweruser_role_policy_arns, count.index)
 }
 # Readonly
 resource "aws_iam_role" "readonly" {
-  count = "${var.create_readonly_role ? 1 : 0}"
+  count = var.create_readonly_role ? 1 : 0
-  name                 = "${var.readonly_role_name}"
+  name                 = var.readonly_role_name
-  path                 = "${var.readonly_role_path}"
+  path                 = var.readonly_role_path
-  max_session_duration = "${var.max_session_duration}"
+  max_session_duration = var.max_session_duration
-  permissions_boundary = "${var.readonly_role_permissions_boundary_arn}"
+  permissions_boundary = var.readonly_role_permissions_boundary_arn
-  assume_role_policy = "${var.readonly_role_requires_mfa ?  data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+  assume_role_policy = var.readonly_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json
-  tags = "${var.readonly_role_tags}"
+  tags = var.readonly_role_tags
 }
 resource "aws_iam_role_policy_attachment" "readonly" {
-  count = "${var.create_readonly_role ? length(var.readonly_role_policy_arns) : 0}"
+  count = var.create_readonly_role ? length(var.readonly_role_policy_arns) : 0
-  role       = "${aws_iam_role.readonly.name}"
+  role       = aws_iam_role.readonly[0].name
-  policy_arn = "${element(var.readonly_role_policy_arns, count.index)}"
+  policy_arn = element(var.readonly_role_policy_arns, count.index)
 }
--- a/modules/iam-assumable-roles/outputs.tf
+++ b/modules/iam-assumable-roles/outputs.tf
 #Admin
 output "admin_iam_role_arn" {
  description = "ARN of admin IAM role"
-  value       = "${element(concat(aws_iam_role.admin.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_role.admin.*.arn, [""]), 0)
 }
 output "admin_iam_role_name" {
  description = "Name of admin IAM role"
-  value       = "${element(concat(aws_iam_role.admin.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_role.admin.*.name, [""]), 0)
 }
 output "admin_iam_role_path" {
  description = "Path of admin IAM role"
-  value       = "${element(concat(aws_iam_role.admin.*.path, list("")), 0)}"
+  value       = element(concat(aws_iam_role.admin.*.path, [""]), 0)
 }
 output "admin_iam_role_requires_mfa" {
  description = "Whether admin IAM role requires MFA"
-  value       = "${var.admin_role_requires_mfa}"
+  value       = var.admin_role_requires_mfa
 }
 # Poweruser
 output "poweruser_iam_role_arn" {
  description = "ARN of poweruser IAM role"
-  value       = "${element(concat(aws_iam_role.poweruser.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_role.poweruser.*.arn, [""]), 0)
 }
 output "poweruser_iam_role_name" {
  description = "Name of poweruser IAM role"
-  value       = "${element(concat(aws_iam_role.poweruser.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_role.poweruser.*.name, [""]), 0)
 }
 output "poweruser_iam_role_path" {
  description = "Path of poweruser IAM role"
-  value       = "${element(concat(aws_iam_role.poweruser.*.path, list("")), 0)}"
+  value       = element(concat(aws_iam_role.poweruser.*.path, [""]), 0)
 }
 output "poweruser_iam_role_requires_mfa" {
  description = "Whether poweruser IAM role requires MFA"
-  value       = "${var.poweruser_role_requires_mfa}"
+  value       = var.poweruser_role_requires_mfa
 }
 # Readonly
 output "readonly_iam_role_arn" {
  description = "ARN of readonly IAM role"
-  value       = "${element(concat(aws_iam_role.readonly.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_role.readonly.*.arn, [""]), 0)
 }
 output "readonly_iam_role_name" {
  description = "Name of readonly IAM role"
-  value       = "${element(concat(aws_iam_role.readonly.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_role.readonly.*.name, [""]), 0)
 }
 output "readonly_iam_role_path" {
  description = "Path of readonly IAM role"
-  value       = "${element(concat(aws_iam_role.readonly.*.path, list("")), 0)}"
+  value       = element(concat(aws_iam_role.readonly.*.path, [""]), 0)
 }
 output "readonly_iam_role_requires_mfa" {
  description = "Whether readonly IAM role requires MFA"
-  value       = "${var.readonly_role_requires_mfa}"
+  value       = var.readonly_role_requires_mfa
 }
--- a/modules/iam-assumable-roles/variables.tf
+++ b/modules/iam-assumable-roles/variables.tf
 variable "trusted_role_arns" {
  description = "ARNs of AWS entities who can assume these roles"
+  type        = list(string)
  default     = []
 }
 variable "mfa_age" {
  description = "Max age of valid MFA (in seconds) for roles which require MFA"
+  type        = number
  default     = 86400
 }
 # Admin
 variable "create_admin_role" {
  description = "Whether to create admin role"
+  type        = bool
  default     = false
 }
 variable "admin_role_name" {
  description = "IAM role with admin access"
+  type        = string
  default     = "admin"
 }
 variable "admin_role_path" {
  description = "Path of admin IAM role"
+  type        = string
  default     = "/"
 }
 variable "admin_role_requires_mfa" {
  description = "Whether admin role requires MFA"
+  type        = bool
  default     = true
 }
 variable "admin_role_policy_arns" {
  description = "List of policy ARNs to use for admin role"
-  type        = "list"
+  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/AdministratorAccess"]
 }
 variable "admin_role_permissions_boundary_arn" {
  description = "Permissions boundary ARN to use for admin role"
+  type        = string
  default     = ""
 }
 variable "admin_role_tags" {
  description = "A map of tags to add to admin role resource."
-  type        = "map"
+  type        = map(string)
  default     = {}
 }
 # Poweruser
 variable "create_poweruser_role" {
  description = "Whether to create poweruser role"
+  type        = bool
  default     = false
 }
 variable "poweruser_role_name" {
  description = "IAM role with poweruser access"
+  type        = string
  default     = "poweruser"
 }
 variable "poweruser_role_path" {
  description = "Path of poweruser IAM role"
+  type        = string
  default     = "/"
 }
 variable "poweruser_role_requires_mfa" {
  description = "Whether poweruser role requires MFA"
+  type        = bool
  default     = true
 }
 variable "poweruser_role_policy_arns" {
  description = "List of policy ARNs to use for poweruser role"
-  type        = "list"
+  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/PowerUserAccess"]
 }
 variable "poweruser_role_permissions_boundary_arn" {
  description = "Permissions boundary ARN to use for poweruser role"
+  type        = string
  default     = ""
 }
 variable "poweruser_role_tags" {
-  description = "A map of tags to add to power role resource."
+  description = "A map of tags to add to poweruser role resource."
-  type        = "map"
+  type        = map(string)
  default     = {}
 }
 # Readonly
 variable "create_readonly_role" {
  description = "Whether to create readonly role"
+  type        = bool
  default     = false
 }
 variable "readonly_role_name" {
  description = "IAM role with readonly access"
+  type        = string
  default     = "readonly"
 }
 variable "readonly_role_path" {
  description = "Path of readonly IAM role"
+  type        = string
  default     = "/"
 }
 variable "readonly_role_requires_mfa" {
  description = "Whether readonly role requires MFA"
+  type        = bool
  default     = true
 }
 variable "readonly_role_policy_arns" {
  description = "List of policy ARNs to use for readonly role"
-  type        = "list"
+  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
 }
 variable "readonly_role_permissions_boundary_arn" {
  description = "Permissions boundary ARN to use for readonly role"
+  type        = string
  default     = ""
 }
 variable "readonly_role_tags" {
  description = "A map of tags to add to readonly role resource."
-  type        = "map"
+  type        = map(string)
  default     = {}
 }
 variable "max_session_duration" {
  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
+  type        = number
  default     = 3600
 }
--- a/modules/iam-group-with-assumable-roles-policy/main.tf
+++ b/modules/iam-group-with-assumable-roles-policy/main.tf
@@ -2,29 +2,30 @@ data "aws_iam_policy_document" "assume_role" {
  statement {
    effect    = "Allow"
    actions   = ["sts:AssumeRole"]
-    resources = ["${var.assumable_roles}"]
+    resources = var.assumable_roles
  }
 }
 resource "aws_iam_policy" "this" {
-  name        = "${var.name}"
+  name        = var.name
  description = "Allows to assume role in another AWS account"
-  policy      = "${data.aws_iam_policy_document.assume_role.json}"
+  policy      = data.aws_iam_policy_document.assume_role.json
 }
 resource "aws_iam_group" "this" {
-  name = "${var.name}"
+  name = var.name
 }
 resource "aws_iam_group_policy_attachment" "this" {
-  group      = "${aws_iam_group.this.id}"
+  group      = aws_iam_group.this.id
-  policy_arn = "${aws_iam_policy.this.id}"
+  policy_arn = aws_iam_policy.this.id
 }
 resource "aws_iam_group_membership" "this" {
-  count = "${length(var.group_users) > 0 ? 1 : 0}"
+  count = length(var.group_users) > 0 ? 1 : 0
-  group = "${aws_iam_group.this.id}"
+  group = aws_iam_group.this.id
-  name  = "${var.name}"
+  name  = var.name
-  users = ["${var.group_users}"]
+  users = var.group_users
 }
--- a/modules/iam-group-with-assumable-roles-policy/outputs.tf
+++ b/modules/iam-group-with-assumable-roles-policy/outputs.tf
 output "this_group_users" {
  description = "List of IAM users in IAM group"
-  value       = ["${split(",", join(",", flatten(aws_iam_group_membership.this.*.users)))}"]
+  value       = flatten(aws_iam_group_membership.this.*.users)
 }
 output "this_assumable_roles" {
  description = "List of ARNs of IAM roles which members of IAM group can assume"
-  value       = ["${var.assumable_roles}"]
+  value       = var.assumable_roles
 }
 output "this_policy_arn" {
  description = "Assume role policy ARN of IAM group"
-  value       = "${aws_iam_policy.this.arn}"
+  value       = aws_iam_policy.this.arn
 }
 output "group_name" {
  description = "IAM group name"
-  value       = "${aws_iam_group.this.name}"
+  value       = aws_iam_group.this.name
 }
--- a/modules/iam-group-with-assumable-roles-policy/variables.tf
+++ b/modules/iam-group-with-assumable-roles-policy/variables.tf
 variable "name" {
  description = "Name of IAM policy and IAM group"
+  type        = string
 }
 variable "assumable_roles" {
  description = "List of IAM roles ARNs which can be assumed by the group"
+  type        = list(string)
  default     = []
 }
 variable "group_users" {
  description = "List of IAM users to have in an IAM group which can assume the role"
+  type        = list(string)
  default     = []
 }
--- a/modules/iam-group-with-policies/main.tf
+++ b/modules/iam-group-with-policies/main.tf
 locals {
-  group_name = "${element(concat(aws_iam_group.this.*.id, list(var.name)), 0)}"
+  group_name = element(concat(aws_iam_group.this.*.id, [var.name]), 0)
 }
 resource "aws_iam_group" "this" {
-  count = "${var.create_group ? 1 : 0}"
+  count = var.create_group ? 1 : 0
-  name = "${var.name}"
+  name = var.name
 }
 resource "aws_iam_group_membership" "this" {
-  count = "${length(var.group_users) > 0 ? 1 : 0}"
+  count = length(var.group_users) > 0 ? 1 : 0
-  group = "${local.group_name}"
+  group = local.group_name
-  name  = "${var.name}"
+  name  = var.name
-  users = ["${var.group_users}"]
+  users = var.group_users
 }
 ################################
 # IAM group policy attachements
 ################################
 resource "aws_iam_group_policy_attachment" "iam_self_management" {
-  count = "${var.attach_iam_self_management_policy ? 1 : 0}"
+  count = var.attach_iam_self_management_policy ? 1 : 0
-  group      = "${local.group_name}"
+  group      = local.group_name
-  policy_arn = "${aws_iam_policy.iam_self_management.arn}"
+  policy_arn = aws_iam_policy.iam_self_management[0].arn
 }
 resource "aws_iam_group_policy_attachment" "custom_arns" {
-  count = "${length(var.custom_group_policy_arns) > 0 ? length(var.custom_group_policy_arns) : 0}"
+  count = length(var.custom_group_policy_arns) > 0 ? length(var.custom_group_policy_arns) : 0
-  group      = "${local.group_name}"
+  group      = local.group_name
-  policy_arn = "${element(var.custom_group_policy_arns, count.index)}"
+  policy_arn = element(var.custom_group_policy_arns, count.index)
 }
 resource "aws_iam_group_policy_attachment" "custom" {
-  count = "${length(var.custom_group_policies) > 0 ? length(var.custom_group_policies) : 0}"
+  count = length(var.custom_group_policies) > 0 ? length(var.custom_group_policies) : 0
-  group      = "${local.group_name}"
+  group      = local.group_name
-  policy_arn = "${element(aws_iam_policy.custom.*.arn, count.index)}"
+  policy_arn = element(aws_iam_policy.custom.*.arn, count.index)
 }
 ###############
 # IAM policies
 ###############
 resource "aws_iam_policy" "iam_self_management" {
-  count = "${var.attach_iam_self_management_policy ? 1 : 0}"
+  count = var.attach_iam_self_management_policy ? 1 : 0
-  name_prefix = "${var.iam_self_management_policy_name_prefix}"
+  name_prefix = var.iam_self_management_policy_name_prefix
-  policy      = "${data.aws_iam_policy_document.iam_self_management.json}"
+  policy      = data.aws_iam_policy_document.iam_self_management.json
 }
 resource "aws_iam_policy" "custom" {
-  count = "${length(var.custom_group_policies) > 0 ? length(var.custom_group_policies) : 0}"
+  count = length(var.custom_group_policies) > 0 ? length(var.custom_group_policies) : 0
-  name   = "${lookup(var.custom_group_policies[count.index], "name")}"
+  name   = var.custom_group_policies[count.index]["name"]
-  policy = "${lookup(var.custom_group_policies[count.index], "policy")}"
+  policy = var.custom_group_policies[count.index]["policy"]
 }
--- a/modules/iam-group-with-policies/outputs.tf
+++ b/modules/iam-group-with-policies/outputs.tf
 output "aws_account_id" {
  description = "IAM AWS account id"
-  value       = "${local.aws_account_id}"
+  value       = local.aws_account_id
 }
 output "this_group_users" {
  description = "List of IAM users in IAM group"
-  value       = ["${split(",", join(",", flatten(aws_iam_group_membership.this.*.users)))}"]
+  value       = flatten(aws_iam_group_membership.this.*.users)
 }
 output "this_group_name" {
  description = "IAM group name"
-  value       = "${element(concat(aws_iam_group.this.*.name, list(var.name)), 0)}"
+  value       = element(concat(aws_iam_group.this.*.name, [var.name]), 0)
 }
--- a/modules/iam-group-with-policies/policies.tf
+++ b/modules/iam-group-with-policies/policies.tf
 data "aws_caller_identity" "current" {
-  count = "${var.aws_account_id == "" ? 1 : 0}"
+  count = var.aws_account_id == "" ? 1 : 0
 }
 locals {
-  aws_account_id = "${element(concat(data.aws_caller_identity.current.*.account_id, list(var.aws_account_id)), 0)}"
+  aws_account_id = element(
+    concat(
+      data.aws_caller_identity.current.*.account_id,
+      [var.aws_account_id],
+    ),
+    0,
+  )
 }
 data "aws_iam_policy_document" "iam_self_management" {
@@ -70,16 +76,17 @@ data "aws_iam_policy_document" "iam_self_management" {
      "arn:aws:iam::${local.aws_account_id}:mfa/$${aws:username}",
    ]
-    condition = {
+    condition {
      test     = "Bool"
      variable = "aws:MultiFactorAuthPresent"
      values   = ["true"]
    }
-    condition = {
+    condition {
      test     = "NumericLessThan"
      variable = "aws:MultiFactorAuthAge"
      values   = ["3600"]
    }
  }
 }
--- a/modules/iam-group-with-policies/variables.tf
+++ b/modules/iam-group-with-policies/variables.tf
 variable "create_group" {
  description = "Whether to create IAM group"
+  type        = bool
  default     = true
 }
 variable "name" {
  description = "Name of IAM group"
+  type        = string
  default     = ""
 }
 variable "group_users" {
  description = "List of IAM users to have in an IAM group which can assume the role"
+  type        = list(string)
  default     = []
 }
 variable "custom_group_policy_arns" {
  description = "List of IAM policies ARNs to attach to IAM group"
+  type        = list(string)
  default     = []
 }
 variable "custom_group_policies" {
  description = "List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element."
+  type        = list(map(string))
  default     = []
 }
 variable "attach_iam_self_management_policy" {
  description = "Whether to attach IAM policy which allows IAM users to manage their credentials and MFA"
+  type        = bool
  default     = true
 }
 variable "iam_self_management_policy_name_prefix" {
  description = "Name prefix for IAM policy to create with IAM self-management permissions"
+  type        = string
  default     = "IAMSelfManagement-"
 }
 variable "aws_account_id" {
  description = "AWS account id to use inside IAM policies. If empty, current AWS account ID will be used."
+  type        = string
  default     = ""
 }
--- a/modules/iam-policy/main.tf
+++ b/modules/iam-policy/main.tf
 resource "aws_iam_policy" "policy" {
-  name        = "${var.name}"
+  name        = var.name
-  path        = "${var.path}"
+  path        = var.path
-  description = "${var.description}"
+  description = var.description
-  policy = "${var.policy}"
+  policy = var.policy
 }
--- a/modules/iam-policy/outputs.tf
+++ b/modules/iam-policy/outputs.tf
 output "id" {
  description = "The policy's ID"
-  value       = "${aws_iam_policy.policy.id}"
+  value       = aws_iam_policy.policy.id
 }
 output "arn" {
  description = "The ARN assigned by AWS to this policy"
-  value       = "${aws_iam_policy.policy.arn}"
+  value       = aws_iam_policy.policy.arn
 }
 output "description" {
  description = "The description of the policy"
-  value       = "${aws_iam_policy.policy.description}"
+  value       = aws_iam_policy.policy.description
 }
 output "name" {
  description = "The name of the policy"
-  value       = "${aws_iam_policy.policy.name}"
+  value       = aws_iam_policy.policy.name
 }
 output "path" {
  description = "The path of the policy in IAM"
-  value       = "${aws_iam_policy.policy.path}"
+  value       = aws_iam_policy.policy.path
 }
 output "policy" {
  description = "The policy document"
-  value       = "${aws_iam_policy.policy.policy}"
+  value       = aws_iam_policy.policy.policy
 }
--- a/modules/iam-policy/variables.tf
+++ b/modules/iam-policy/variables.tf
 variable "name" {
  description = "The name of the policy"
-  type        = "string"
+  type        = string
  default     = ""
 }
 variable "path" {
  description = "The path of the policy in IAM"
-  type        = "string"
+  type        = string
  default     = "/"
 }
 variable "description" {
  description = "The description of the policy"
+  type        = string
  default     = "IAM Policy"
 }
 variable "policy" {
  description = "The path of the policy in IAM (tpl file)"
-  type        = "string"
+  type        = string
  default     = ""
 }
--- a/modules/iam-user/main.tf
+++ b/modules/iam-user/main.tf
 resource "aws_iam_user" "this" {
-  count = "${var.create_user ? 1 : 0}"
+  count = var.create_user ? 1 : 0
-  name                 = "${var.name}"
+  name                 = var.name
-  path                 = "${var.path}"
+  path                 = var.path
-  force_destroy        = "${var.force_destroy}"
+  force_destroy        = var.force_destroy
-  permissions_boundary = "${var.permissions_boundary}"
+  permissions_boundary = var.permissions_boundary
-  tags                 = "${var.tags}"
+  tags                 = var.tags
 }
 resource "aws_iam_user_login_profile" "this" {
-  count = "${var.create_user && var.create_iam_user_login_profile ? 1 : 0}"
+  count = var.create_user && var.create_iam_user_login_profile ? 1 : 0
-  user                    = "${aws_iam_user.this.name}"
+  user                    = aws_iam_user.this[0].name
-  pgp_key                 = "${var.pgp_key}"
+  pgp_key                 = var.pgp_key
-  password_length         = "${var.password_length}"
+  password_length         = var.password_length
-  password_reset_required = "${var.password_reset_required}"
+  password_reset_required = var.password_reset_required
 }
 resource "aws_iam_access_key" "this" {
-  count = "${var.create_user && var.create_iam_access_key && var.pgp_key != "" ? 1 : 0}"
+  count = var.create_user && var.create_iam_access_key && var.pgp_key != "" ? 1 : 0
-  user    = "${aws_iam_user.this.name}"
+  user    = aws_iam_user.this[0].name
-  pgp_key = "${var.pgp_key}"
+  pgp_key = var.pgp_key
 }
 resource "aws_iam_access_key" "this_no_pgp" {
-  count = "${var.create_user && var.create_iam_access_key && var.pgp_key == "" ? 1 : 0}"
+  count = var.create_user && var.create_iam_access_key && var.pgp_key == "" ? 1 : 0
-  user = "${aws_iam_user.this.name}"
+  user = aws_iam_user.this[0].name
 }
 resource "aws_iam_user_ssh_key" "this" {
-  count = "${var.create_user && var.upload_iam_user_ssh_key ? 1 : 0}"
+  count = var.create_user && var.upload_iam_user_ssh_key ? 1 : 0
-  username   = "${aws_iam_user.this.name}"
+  username   = aws_iam_user.this[0].name
-  encoding   = "${var.ssh_key_encoding}"
+  encoding   = var.ssh_key_encoding
-  public_key = "${var.ssh_public_key}"
+  public_key = var.ssh_public_key
 }
--- a/modules/iam-user/outputs.tf
+++ b/modules/iam-user/outputs.tf
 output "this_iam_user_name" {
  description = "The user's name"
-  value       = "${element(concat(aws_iam_user.this.*.name, list("")), 0)}"
+  value       = element(concat(aws_iam_user.this.*.name, [""]), 0)
 }
 output "this_iam_user_arn" {
  description = "The ARN assigned by AWS for this user"
-  value       = "${element(concat(aws_iam_user.this.*.arn, list("")), 0)}"
+  value       = element(concat(aws_iam_user.this.*.arn, [""]), 0)
 }
 output "this_iam_user_unique_id" {
  description = "The unique ID assigned by AWS"
-  value       = "${element(concat(aws_iam_user.this.*.unique_id, list("")), 0)}"
+  value       = element(concat(aws_iam_user.this.*.unique_id, [""]), 0)
 }
 output "this_iam_user_login_profile_key_fingerprint" {
  description = "The fingerprint of the PGP key used to encrypt the password"
-  value       = "${element(concat(aws_iam_user_login_profile.this.*.key_fingerprint, list("")), 0)}"
+  value = element(
+    concat(aws_iam_user_login_profile.this.*.key_fingerprint, [""]),
+    0,
+  )
 }
 output "this_iam_user_login_profile_encrypted_password" {
  description = "The encrypted password, base64 encoded"
-  value       = "${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, list("")), 0)}"
+  value = element(
+    concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
+    0,
+  )
 }
 output "this_iam_access_key_id" {
  description = "The access key ID"
-  value       = "${element(concat(aws_iam_access_key.this.*.id, aws_iam_access_key.this_no_pgp.*.id, list("")), 0)}"
+  value = element(
+    concat(
+      aws_iam_access_key.this.*.id,
+      aws_iam_access_key.this_no_pgp.*.id,
+      [""],
+    ),
+    0,
+  )
 }
 output "this_iam_access_key_secret" {
  description = "The access key secret"
-  value       = "${element(concat(aws_iam_access_key.this_no_pgp.*.secret, list("")), 0)}"
+  value       = element(concat(aws_iam_access_key.this_no_pgp.*.secret, [""]), 0)
 }
 output "this_iam_access_key_key_fingerprint" {
  description = "The fingerprint of the PGP key used to encrypt the secret"
-  value       = "${element(concat(aws_iam_access_key.this.*.key_fingerprint, list("")), 0)}"
+  value       = element(concat(aws_iam_access_key.this.*.key_fingerprint, [""]), 0)
 }
 output "this_iam_access_key_encrypted_secret" {
  description = "The encrypted secret, base64 encoded"
-  value       = "${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}"
+  value       = element(concat(aws_iam_access_key.this.*.encrypted_secret, [""]), 0)
 }
 output "this_iam_access_key_ses_smtp_password" {
  description = "The secret access key converted into an SES SMTP password"
-  value       = "${element(concat(aws_iam_access_key.this.*.ses_smtp_password, aws_iam_access_key.this_no_pgp.*.ses_smtp_password, list("")), 0)}"
+  value = element(
+    concat(
+      aws_iam_access_key.this.*.ses_smtp_password,
+      aws_iam_access_key.this_no_pgp.*.ses_smtp_password,
+      [""],
+    ),
+    0,
+  )
 }
 output "this_iam_access_key_status" {
  description = "Active or Inactive. Keys are initially active, but can be made inactive by other means."
-  value       = "${element(concat(aws_iam_access_key.this.*.status, aws_iam_access_key.this_no_pgp.*.status, list("")), 0)}"
+  value = element(
+    concat(
+      aws_iam_access_key.this.*.status,
+      aws_iam_access_key.this_no_pgp.*.status,
+      [""],
+    ),
+    0,
+  )
 }
 output "pgp_key" {
  description = "PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted)"
-  value       = "${var.pgp_key}"
+  value       = var.pgp_key
 }
 output "keybase_password_decrypt_command" {
  value = <<EOF
-echo "${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, list("")), 0)}" | base64 --decode | keybase pgp decrypt
+echo "${element(
+concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
+0,
+)}" | base64 --decode | keybase pgp decrypt
 EOF
-}
-output "keybase_password_pgp_message" {
+    }
+    output "keybase_password_pgp_message" {
      value = <<EOF
 -----BEGIN PGP MESSAGE-----
 Version: Keybase OpenPGP v2.0.76
 Comment: https://keybase.io/crypto
-${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, list("")), 0)}
+${element(
+concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
+0,
+)}
 -----END PGP MESSAGE-----
 EOF
-}
-output "keybase_secret_key_decrypt_command" {
+        }
+        output "keybase_secret_key_decrypt_command" {
          value = <<EOF
-echo "${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}" | base64 --decode | keybase pgp decrypt
+echo "${element(concat(aws_iam_access_key.this.*.encrypted_secret, [""]), 0)}" | base64 --decode | keybase pgp decrypt
 EOF
-}
-output "keybase_secret_key_pgp_message" {
+        }
+        output "keybase_secret_key_pgp_message" {
          value = <<EOF
 -----BEGIN PGP MESSAGE-----
 Version: Keybase OpenPGP v2.0.76
 Comment: https://keybase.io/crypto
-${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}
+${element(concat(aws_iam_access_key.this.*.encrypted_secret, [""]), 0)}
 -----END PGP MESSAGE-----
 EOF
 }
 output "this_iam_user_ssh_key_ssh_public_key_id" {
-  description = "The unique identifier for the SSH public key"
+description = "The unique identifier for the SSH public key"
-  value       = "${element(concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, list("")), 0)}"
+value = element(
+concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, [""]),
+0,
+)
 }
 output "this_iam_user_ssh_key_fingerprint" {
-  description = "The MD5 message digest of the SSH public key"
+description = "The MD5 message digest of the SSH public key"
-  value       = "${element(concat(aws_iam_user_ssh_key.this.*.fingerprint, list("")), 0)}"
+value       = element(concat(aws_iam_user_ssh_key.this.*.fingerprint, [""]), 0)
 }
--- a/modules/iam-user/variables.tf
+++ b/modules/iam-user/variables.tf
 variable "create_user" {
  description = "Whether to create the IAM user"
+  type        = bool
  default     = true
 }
 variable "create_iam_user_login_profile" {
  description = "Whether to create IAM user login profile"
+  type        = bool
  default     = true
 }
 variable "create_iam_access_key" {
  description = "Whether to create IAM access key"
+  type        = bool
  default     = true
 }
 variable "name" {
  description = "Desired name for the IAM user"
+  type        = string
 }
 variable "path" {
  description = "Desired path for the IAM user"
+  type        = string
  default     = "/"
 }
 variable "force_destroy" {
  description = "When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed."
+  type        = bool
  default     = false
 }
 variable "pgp_key" {
  description = "Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key."
+  type        = string
  default     = ""
 }
 variable "password_reset_required" {
  description = "Whether the user should be forced to reset the generated password on first login."
+  type        = bool
  default     = true
 }
 variable "password_length" {
  description = "The length of the generated password"
+  type        = number
  default     = 20
 }
 variable "upload_iam_user_ssh_key" {
  description = "Whether to upload a public ssh key to the IAM user"
+  type        = bool
  default     = false
 }
 variable "ssh_key_encoding" {
  description = "Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM"
+  type        = string
  default     = "SSH"
 }
 variable "ssh_public_key" {
  description = "The SSH public key. The public key must be encoded in ssh-rsa format or PEM format"
+  type        = string
  default     = ""
 }
@@ -65,5 +77,12 @@ variable "tags" {
 variable "permissions_boundary" {
  description = "The ARN of the policy that is used to set the permissions boundary for the user."
+  type        = string
  default     = ""
 }
+variable "tags" {
+  description = "A map of tags to add to all resources."
+  type        = map(string)
+  default     = {}
+}