use different resource type

main.tf

@@ -324,21 +324,19 @@ resource "aws_iam_role" "this" {
   name                 = "${var.iam_resource_names_prefix}-role-${var.name}"
   path                 = "/"
   max_session_duration = "3600"
-  assume_role_policy = jsonencode(
-    {
-      "Version" : "2012-10-17",
-      "Statement" : [
-        {
-          "Effect" : "Allow",
-          "Principal" : {
-            "Service" : "ec2.amazonaws.com"
-          }
-          "Action" : "sts:AssumeRole",
-          "Condition" : {}
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "ec2.amazonaws.com"
         }
-      ]
-    }
-  )
+        "Action" : "sts:AssumeRole",
+        "Condition" : {}
+      }
+    ]
+  })
 
   tags = merge(
     local.tags,
@@ -348,18 +346,13 @@ resource "aws_iam_role" "this" {
   )
 }
 
-# Attach SSM core policy
-resource "aws_iam_role_policy_attachment" "ssm_core" {
-  role       = aws_iam_role.this.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-}
-
-# Attach additional policies from variable
-resource "aws_iam_role_policy_attachment" "additional" {
-  count = length(var.instance_profile_policies)
-
-  role       = aws_iam_role.this.name
-  policy_arn = var.instance_profile_policies[count.index]
+# Remove individual policy attachments and replace with exclusive management
+resource "aws_iam_role_policy_attachments_exclusive" "this" {
+  role_name = aws_iam_role.this.name
+  policy_arns = concat(
+    ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"],
+    var.instance_profile_policies
+  )
 }
 
 resource "aws_iam_role_policy" "ssm_params_and_secrets" {