diff --git a/examples/iam-assumable-role/main.tf b/examples/iam-assumable-role/main.tf
index 8c0baa7f..ad00261b 100644
--- a/examples/iam-assumable-role/main.tf
+++ b/examples/iam-assumable-role/main.tf
@@ -75,7 +75,7 @@ module "iam_assumable_role_sts" {
   create_role = true
 
   role_name         = "custom_sts"
-  role_requires_mfa = false
+  role_requires_mfa = true
 
   role_sts_externalid = [
     "some-id-goes-here",
diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
index 5f2a45ab..fbe246f3 100644
--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -1,5 +1,5 @@
 locals {
-  role_sts_externalid = flatten(tolist(var.role_sts_externalid))
+  role_sts_externalid = flatten([var.role_sts_externalid])
 }
 
 data "aws_iam_policy_document" "assume_role" {
@@ -56,6 +56,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
       variable = "aws:MultiFactorAuthAge"
       values   = [var.mfa_age]
     }
+
+    dynamic "condition" {
+      for_each = length(local.role_sts_externalid) != 0 ? [true] : []
+      content {
+        test     = "StringEquals"
+        variable = "sts:ExternalId"
+        values   = local.role_sts_externalid
+      }
+    }
   }
 }