feat: Allow OIDC root CA thumbprint to be included/excluded (#2778)

* fix: Allow OIDC root CA thumbprint to be included/excluded

* chore: Consolidate conditional logic within local conditional

---------

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>

main.tf

@@ -220,19 +220,26 @@ resource "aws_security_group_rule" "cluster" {
 # Note - this is different from EKS identity provider
 ################################################################################
 
+locals {
+  # Not available on outposts
+  create_oidc_provider = local.create && var.enable_irsa && !local.create_outposts_local_cluster
+
+  oidc_root_ca_thumbprint = local.create_oidc_provider && var.include_oidc_root_ca_thumbprint ? [data.tls_certificate.this[0].certificates[0].sha1_fingerprint] : []
+}
+
 data "tls_certificate" "this" {
   # Not available on outposts
-  count = local.create && var.enable_irsa && !local.create_outposts_local_cluster ? 1 : 0
+  count = local.create_oidc_provider && var.include_oidc_root_ca_thumbprint ? 1 : 0
 
   url = aws_eks_cluster.this[0].identity[0].oidc[0].issuer
 }
 
 resource "aws_iam_openid_connect_provider" "oidc_provider" {
   # Not available on outposts
-  count = local.create && var.enable_irsa && !local.create_outposts_local_cluster ? 1 : 0
+  count = local.create_oidc_provider ? 1 : 0
 
   client_id_list  = distinct(compact(concat(["sts.${local.dns_suffix}"], var.openid_connect_audiences)))
-  thumbprint_list = concat([data.tls_certificate.this[0].certificates[0].sha1_fingerprint], var.custom_oidc_thumbprints)
+  thumbprint_list = concat(local.oidc_root_ca_thumbprint, var.custom_oidc_thumbprints)
   url             = aws_eks_cluster.this[0].identity[0].oidc[0].issuer
 
   tags = merge(