Added trusted_role_services to iam-assumable-roles, autoupdated docs

.pre-commit-config.yaml

 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.12.0
+  rev: v1.19.0
   hooks:
     - id: terraform_fmt
-#    - id: terraform_docs
+    - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v2.2.3
+  rev: v2.3.0
   hooks:
     - id: check-merge-conflict

examples/iam-assumable-role/README.md

@@ -22,7 +22,6 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Description |
 |------|-------------|
 | role\_requires\_mfa | Whether admin IAM role requires MFA |
-| role\_tags | Whether admin IAM role requires MFA |
 | this\_iam\_role\_arn | ARN of IAM role |
 | this\_iam\_role\_name | Name of IAM role |
 | this\_iam\_role\_path | Path of IAM role |

examples/iam-assumable-role/main.tf

@@ -13,6 +13,10 @@ module "iam_assumable_role_admin" {
     "arn:aws:iam::835367859851:user/anton",
   ]
 
+  trusted_role_services = [
+    "codedeploy.amazonaws.com"
+  ]
+
   create_role = true
 
   role_name         = "admin"
@@ -35,10 +39,14 @@ module "iam_assumable_role_custom" {
     "arn:aws:iam::307990089504:root",
   ]
 
+  trusted_role_services = [
+    "codedeploy.amazonaws.com"
+  ]
+
   create_role = true
 
   role_name         = "custom"
-  role_requires_mfa = true
+  role_requires_mfa = false
 
   custom_role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",

examples/iam-assumable-roles/main.tf

@@ -13,6 +13,10 @@ module "iam_assumable_roles" {
     "arn:aws:iam::835367859851:user/anton",
   ]
 
+  trusted_role_services = [
+    "codedeploy.amazonaws.com"
+  ]
+
   create_admin_role = true
 
   create_poweruser_role      = true

modules/iam-account/README.md

@@ -27,17 +27,17 @@ Import successful!
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | account\_alias | AWS IAM account alias for this account | string | n/a | yes |
-| allow\_users\_to\_change\_password | Whether to allow users to change their own password | string | `"true"` | no |
-| create\_account\_password\_policy | Whether to create AWS IAM account password policy | string | `"true"` | no |
-| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | string | `"true"` | no |
-| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | string | `"false"` | no |
-| max\_password\_age | The number of days that an user password is valid. | string | `"0"` | no |
-| minimum\_password\_length | Minimum length to require for user passwords | string | `"8"` | no |
-| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | string | `"true"` | no |
-| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | string | `"true"` | no |
-| require\_numbers | Whether to require numbers for user passwords | string | `"true"` | no |
-| require\_symbols | Whether to require symbols for user passwords | string | `"true"` | no |
-| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | string | `"true"` | no |
+| allow\_users\_to\_change\_password | Whether to allow users to change their own password | bool | `"true"` | no |
+| create\_account\_password\_policy | Whether to create AWS IAM account password policy | bool | `"true"` | no |
+| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | bool | `"true"` | no |
+| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | bool | `"false"` | no |
+| max\_password\_age | The number of days that an user password is valid. | number | `"0"` | no |
+| minimum\_password\_length | Minimum length to require for user passwords | number | `"8"` | no |
+| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | number | `"null"` | no |
+| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | bool | `"true"` | no |
+| require\_numbers | Whether to require numbers for user passwords | bool | `"true"` | no |
+| require\_symbols | Whether to require symbols for user passwords | bool | `"true"` | no |
+| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | bool | `"true"` | no |
 
 ## Outputs
 

modules/iam-assumable-role/README.md

@@ -10,22 +10,22 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | admin\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
-| attach\_admin\_policy | Whether to attach an admin policy to a role | string | `"false"` | no |
-| attach\_poweruser\_policy | Whether to attach a poweruser policy to a role | string | `"false"` | no |
-| attach\_readonly\_policy | Whether to attach a readonly policy to a role | string | `"false"` | no |
-| create\_role | Whether to create a role | string | `"false"` | no |
-| custom\_role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | list | `[]` | no |
-| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `"3600"` | no |
-| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `"86400"` | no |
+| attach\_admin\_policy | Whether to attach an admin policy to a role | bool | `"false"` | no |
+| attach\_poweruser\_policy | Whether to attach a poweruser policy to a role | bool | `"false"` | no |
+| attach\_readonly\_policy | Whether to attach a readonly policy to a role | bool | `"false"` | no |
+| create\_role | Whether to create a role | bool | `"false"` | no |
+| custom\_role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | list(string) | `[]` | no |
+| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number | `"3600"` | no |
+| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | number | `"86400"` | no |
 | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | string | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
 | readonly\_role\_policy\_arn | Policy ARN to use for readonly role | string | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
 | role\_name | IAM role name | string | `""` | no |
 | role\_path | Path of IAM role | string | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | string | `""` | no |
-| role\_requires\_mfa | Whether role requires MFA | string | `"true"` | no |
-| tags | A map of tags to add to all resources. | map | `{}` | no |
-| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
-| trusted\_role\_services | AWS Services that can assume these roles | list | `[]` | no |
+| role\_requires\_mfa | Whether role requires MFA | bool | `"true"` | no |
+| tags | A map of tags to add to IAM role resources | map(string) | `{}` | no |
+| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list(string) | `[]` | no |
+| trusted\_role\_services | AWS Services that can assume these roles | list(string) | `[]` | no |
 
 ## Outputs
 

modules/iam-assumable-role/main.tf

@@ -27,6 +27,11 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
       identifiers = var.trusted_role_arns
     }
 
+    principals {
+      type        = "Service"
+      identifiers = var.trusted_role_services
+    }
+
     condition {
       test     = "Bool"
       variable = "aws:MultiFactorAuthPresent"

modules/iam-assumable-roles-with-saml/README.md

@@ -14,25 +14,25 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed
 | admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
 | admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
-| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
-| admin\_role\_tags | A map of tags to add to admin role resource. | map | `{}` | no |
-| aws\_saml\_endpoint | AWS SAML Endpoint | list | `[ "https://signin.aws.amazon.com/saml" ]` | no |
-| create\_admin\_role | Whether to create admin role | string | `"false"` | no |
-| create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
-| create\_readonly\_role | Whether to create readonly role | string | `"false"` | no |
-| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `"3600"` | no |
+| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list(string) | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
+| admin\_role\_tags | A map of tags to add to admin role resource. | map(string) | `{}` | no |
+| aws\_saml\_endpoint | AWS SAML Endpoint | string | `"https://signin.aws.amazon.com/saml"` | no |
+| create\_admin\_role | Whether to create admin role | bool | `"false"` | no |
+| create\_poweruser\_role | Whether to create poweruser role | bool | `"false"` | no |
+| create\_readonly\_role | Whether to create readonly role | bool | `"false"` | no |
+| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number | `"3600"` | no |
 | poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
 | poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
-| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
-| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map | `{}` | no |
+| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list(string) | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
+| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map(string) | `{}` | no |
 | provider\_id | ID of the SAML Provider | string | n/a | yes |
 | provider\_name | Name of the SAML Provider | string | n/a | yes |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
-| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
-| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `{}` | no |
+| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list(string) | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
+| readonly\_role\_tags | A map of tags to add to readonly role resource. | map(string) | `{}` | no |
 
 ## Outputs
 

modules/iam-assumable-roles/README.md

@@ -12,27 +12,28 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
 | admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
-| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
-| admin\_role\_requires\_mfa | Whether admin role requires MFA | string | `"true"` | no |
-| admin\_role\_tags | A map of tags to add to admin role resource. | map | `{}` | no |
-| create\_admin\_role | Whether to create admin role | string | `"false"` | no |
-| create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
-| create\_readonly\_role | Whether to create readonly role | string | `"false"` | no |
-| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `"3600"` | no |
-| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `"86400"` | no |
+| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list(string) | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
+| admin\_role\_requires\_mfa | Whether admin role requires MFA | bool | `"true"` | no |
+| admin\_role\_tags | A map of tags to add to admin role resource. | map(string) | `{}` | no |
+| create\_admin\_role | Whether to create admin role | bool | `"false"` | no |
+| create\_poweruser\_role | Whether to create poweruser role | bool | `"false"` | no |
+| create\_readonly\_role | Whether to create readonly role | bool | `"false"` | no |
+| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number | `"3600"` | no |
+| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | number | `"86400"` | no |
 | poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
 | poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
-| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
-| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | string | `"true"` | no |
-| poweruser\_role\_tags | A map of tags to add to power role resource. | map | `{}` | no |
+| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list(string) | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
+| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | bool | `"true"` | no |
+| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map(string) | `{}` | no |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
-| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
-| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | string | `"true"` | no |
-| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `{}` | no |
-| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
+| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list(string) | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
+| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | bool | `"true"` | no |
+| readonly\_role\_tags | A map of tags to add to readonly role resource. | map(string) | `{}` | no |
+| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list(string) | `[]` | no |
+| trusted\_role\_services | AWS Services that can assume these roles | list(string) | `[]` | no |
 
 ## Outputs
 

modules/iam-assumable-roles/main.tf

@@ -8,6 +8,11 @@ data "aws_iam_policy_document" "assume_role" {
       type        = "AWS"
       identifiers = var.trusted_role_arns
     }
+
+    principals {
+      type        = "Service"
+      identifiers = var.trusted_role_services
+    }
   }
 }
 
@@ -22,6 +27,11 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
       identifiers = var.trusted_role_arns
     }
 
+    principals {
+      type        = "Service"
+      identifiers = var.trusted_role_services
+    }
+
     condition {
       test     = "Bool"
       variable = "aws:MultiFactorAuthPresent"

modules/iam-assumable-roles/variables.tf

@@ -4,6 +4,12 @@ variable "trusted_role_arns" {
   default     = []
 }
 
+variable "trusted_role_services" {
+  description = "AWS Services that can assume these roles"
+  type        = list(string)
+  default     = []
+}
+
 variable "mfa_age" {
   description = "Max age of valid MFA (in seconds) for roles which require MFA"
   type        = number

modules/iam-group-with-assumable-roles-policy/README.md

@@ -7,8 +7,8 @@ Creates IAM group with users who are allowed to assume IAM roles. This is typica
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| assumable\_roles | List of IAM roles ARNs which can be assumed by the group | list | `[]` | no |
-| group\_users | List of IAM users to have in an IAM group which can assume the role | list | `[]` | no |
+| assumable\_roles | List of IAM roles ARNs which can be assumed by the group | list(string) | `[]` | no |
+| group\_users | List of IAM users to have in an IAM group which can assume the role | list(string) | `[]` | no |
 | name | Name of IAM policy and IAM group | string | n/a | yes |
 
 ## Outputs

modules/iam-group-with-policies/README.md

@@ -7,12 +7,12 @@ Creates IAM group with specified IAM policies, and add users into a group.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| attach\_iam\_self\_management\_policy | Whether to attach IAM policy which allows IAM users to manage their credentials and MFA | string | `"true"` | no |
+| attach\_iam\_self\_management\_policy | Whether to attach IAM policy which allows IAM users to manage their credentials and MFA | bool | `"true"` | no |
 | aws\_account\_id | AWS account id to use inside IAM policies. If empty, current AWS account ID will be used. | string | `""` | no |
-| create\_group | Whether to create IAM group | string | `"true"` | no |
-| custom\_group\_policies | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | list | `[]` | no |
-| custom\_group\_policy\_arns | List of IAM policies ARNs to attach to IAM group | list | `[]` | no |
-| group\_users | List of IAM users to have in an IAM group which can assume the role | list | `[]` | no |
+| create\_group | Whether to create IAM group | bool | `"true"` | no |
+| custom\_group\_policies | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | list(map(string)) | `[]` | no |
+| custom\_group\_policy\_arns | List of IAM policies ARNs to attach to IAM group | list(string) | `[]` | no |
+| group\_users | List of IAM users to have in an IAM group which can assume the role | list(string) | `[]` | no |
 | iam\_self\_management\_policy\_name\_prefix | Name prefix for IAM policy to create with IAM self-management permissions | string | `"IAMSelfManagement-"` | no |
 | name | Name of IAM group | string | `""` | no |
 

modules/iam-user/README.md

@@ -23,20 +23,20 @@ This module outputs commands and PGP messages which can be decrypted either usin
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| create\_iam\_access\_key | Whether to create IAM access key | string | `"true"` | no |
-| create\_iam\_user\_login\_profile | Whether to create IAM user login profile | string | `"true"` | no |
-| create\_user | Whether to create the IAM user | string | `"true"` | no |
-| force\_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | string | `"false"` | no |
+| create\_iam\_access\_key | Whether to create IAM access key | bool | `"true"` | no |
+| create\_iam\_user\_login\_profile | Whether to create IAM user login profile | bool | `"true"` | no |
+| create\_user | Whether to create the IAM user | bool | `"true"` | no |
+| force\_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | bool | `"false"` | no |
 | name | Desired name for the IAM user | string | n/a | yes |
-| password\_length | The length of the generated password | string | `"20"` | no |
-| password\_reset\_required | Whether the user should be forced to reset the generated password on first login. | string | `"true"` | no |
+| password\_length | The length of the generated password | number | `"20"` | no |
+| password\_reset\_required | Whether the user should be forced to reset the generated password on first login. | bool | `"true"` | no |
 | path | Desired path for the IAM user | string | `"/"` | no |
 | permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the user. | string | `""` | no |
 | pgp\_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `""` | no |
 | ssh\_key\_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `"SSH"` | no |
 | ssh\_public\_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `""` | no |
-| tags | A map of tags to add to all resources. | map | `{}` | no |
-| upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | string | `"false"` | no |
+| tags | A map of tags to add to all resources. | map(string) | `{}` | no |
+| upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | bool | `"false"` | no |
 
 ## Outputs
 

modules/iam-user/outputs.tf

@@ -88,36 +88,36 @@ output "pgp_key" {
 output "keybase_password_decrypt_command" {
   value = <<EOF
 echo "${element(
-concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
-0,
+  concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
+  0,
 )}" | base64 --decode | keybase pgp decrypt
 EOF
 
-    }
+}
 
-    output "keybase_password_pgp_message" {
+output "keybase_password_pgp_message" {
   value = <<EOF
 -----BEGIN PGP MESSAGE-----
 Version: Keybase OpenPGP v2.0.76
 Comment: https://keybase.io/crypto
 
 ${element(
-concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
-0,
+  concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
+  0,
 )}
 -----END PGP MESSAGE-----
 EOF
 
-        }
+}
 
-        output "keybase_secret_key_decrypt_command" {
+output "keybase_secret_key_decrypt_command" {
   value = <<EOF
 echo "${element(concat(aws_iam_access_key.this.*.encrypted_secret, [""]), 0)}" | base64 --decode | keybase pgp decrypt
 EOF
 
-        }
+}
 
-        output "keybase_secret_key_pgp_message" {
+output "keybase_secret_key_pgp_message" {
   value = <<EOF
 -----BEGIN PGP MESSAGE-----
 Version: Keybase OpenPGP v2.0.76
@@ -130,15 +130,15 @@ EOF
 }
 
 output "this_iam_user_ssh_key_ssh_public_key_id" {
-description = "The unique identifier for the SSH public key"
-value = element(
-concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, [""]),
-0,
-)
+  description = "The unique identifier for the SSH public key"
+  value = element(
+    concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, [""]),
+    0,
+  )
 }
 
 output "this_iam_user_ssh_key_fingerprint" {
-description = "The MD5 message digest of the SSH public key"
-value       = element(concat(aws_iam_user_ssh_key.this.*.fingerprint, [""]), 0)
+  description = "The MD5 message digest of the SSH public key"
+  value       = element(concat(aws_iam_user_ssh_key.this.*.fingerprint, [""]), 0)
 }