diff --git a/aws_cloudwatch_observability.tf b/aws_cloudwatch_observability.tf
index 46ef267..7d378bf 100644
--- a/aws_cloudwatch_observability.tf
+++ b/aws_cloudwatch_observability.tf
@@ -3,10 +3,10 @@
 ################################################################################
 
 resource "aws_iam_role_policy_attachment" "aws_cloudwatch_observability" {
-  for_each = { for k, v in {
+  for_each = var.create && var.attach_aws_cloudwatch_observability_policy ? {
     CloudWatchAgentServerPolicy = "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
     AWSXrayWriteOnlyAccess      = "arn:${local.partition}:iam::aws:policy/AWSXrayWriteOnlyAccess"
-  } : k => v if var.create && var.attach_aws_cloudwatch_observability_policy }
+  } : {}
 
   role       = aws_iam_role.this[0].name
   policy_arn = each.value