Skip to content

fix: Perpetual drift when including OIDC root CA thumbprint is disabled #3586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: Perpetual drift when including OIDC root CA thumbprint is disabled #3586

wants to merge 1 commit into from

Conversation

@mindw
Copy link

@mindw mindw commented Nov 17, 2025
edited
Loading

Description

If the cluster is created with include_oidc_root_ca_thumbprint set to false, The next apply will suggest removing the internally fetched thumprint.

Motivation and Context

As per documentation, the thumbprint_list must not exist - an empty list is a list. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider#thumbprint_list-1

One can argue that this needs to be the default but that would be a breaking change.

Without this PR:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:
  # module.eks.aws_iam_openid_connect_provider.oidc_provider[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "oidc_provider" {
        id              = "arn:aws:iam::<ACCOUNT>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<UID>"
        tags            = {
            "Name" = "<CLUSTER_NAME>-eks-irsa"
            "Role" = "EKS"
        }
      ~ thumbprint_list = [
          - "06b25927c42a721631c1efd9431e648fa62e1e39",
        ]
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Breaking Changes

none

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@mindw mindw force-pushed the bugfix/mindw/oidc_provider_perpetual_update_20251611 branch from 545ab45 to 5becc5f Compare November 17, 2025 07:19
@mindw mindw changed the title Fix perpetual drift in when include_oidc_root_ca_thumbprint is disaled fix: perpetual drift in when include_oidc_root_ca_thumbprint is disabled Nov 17, 2025
@mindw mindw changed the title fix: perpetual drift in when include_oidc_root_ca_thumbprint is disabled fix: perpetual drift in when include_oidc_root_ca_thumbprint is disabled Nov 17, 2025
@mindw mindw changed the title fix: perpetual drift in when include_oidc_root_ca_thumbprint is disabled fix: perpetual drift in when including OIDC root CA thumbprint is disabled Nov 17, 2025
@mindw mindw changed the title fix: perpetual drift in when including OIDC root CA thumbprint is disabled fix: perpetual drift in when including oidc root ca thumbprint is disabled Nov 17, 2025
@mindw mindw changed the title fix: perpetual drift in when including oidc root ca thumbprint is disabled fix: perpetual drift when including oidc root ca thumbprint is disabled Nov 17, 2025
@mindw mindw changed the title fix: perpetual drift when including oidc root ca thumbprint is disabled fix: Perpetual drift when including OIDC root CA thumbprint is disabled Nov 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mindw