From 5becc5fcac7fa621a21e2cb1b7c2806e44a36a9e Mon Sep 17 00:00:00 2001
From: Gabi Davar <grizzly.nyo@gmail.com>
Date: Sun, 16 Nov 2025 14:39:31 +0200
Subject: [PATCH] Fix perpetual drift in when `include_oidc_root_ca_thumbprint`
 is disabled

Signed-off-by: Gabi Davar <grizzly.nyo@gmail.com>
---
 main.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 7a6ddbd2e4..b42776b136 100644
--- a/main.tf
+++ b/main.tf
@@ -440,6 +440,7 @@ locals {
   create_oidc_provider = local.create && var.enable_irsa && !local.create_outposts_local_cluster
 
   oidc_root_ca_thumbprint = local.create_oidc_provider && var.include_oidc_root_ca_thumbprint ? [data.tls_certificate.this[0].certificates[0].sha1_fingerprint] : []
+  oidc_thumprint_list     = concat(local.oidc_root_ca_thumbprint, var.custom_oidc_thumbprints)
 }
 
 data "tls_certificate" "this" {
@@ -454,7 +455,7 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {
   count = local.create_oidc_provider ? 1 : 0
 
   client_id_list  = distinct(compact(concat(["sts.amazonaws.com"], var.openid_connect_audiences)))
-  thumbprint_list = concat(local.oidc_root_ca_thumbprint, var.custom_oidc_thumbprints)
+  thumbprint_list = length(local.oidc_thumprint_list) == 0 ? null : local.oidc_thumprint_list
   url             = aws_eks_cluster.this[0].identity[0].oidc[0].issuer
 
   tags = merge(