From f02df92b66a9776a689a2baf39e7474f3b703d89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kir=C3=A1ly=20=C3=81d=C3=A1m?= Date: Fri, 5 Jul 2024 19:12:21 +0200 Subject: [PATCH] fix: Invoke `aws_iam_session_context` data source only when required (#3058) * fix: Call `aws_iam_session_context` data resource only if needed * Typo. * Move index. * Fix condition. --------- Co-authored-by: Bryant Biggs --- main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 4cb1200..ef8b1f6 100644 --- a/main.tf +++ b/main.tf @@ -2,6 +2,7 @@ data "aws_partition" "current" {} data "aws_caller_identity" "current" {} data "aws_iam_session_context" "current" { + count = (var.create && var.enable_cluster_creator_admin_permissions) || (var.create && var.create_kms_key && local.enable_cluster_encryption_config) ? 1 : 0 # This data source provides information on the IAM source role of an STS assumed role # For non-role ARNs, this data source simply passes the ARN through issuer ARN # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 @@ -147,7 +148,7 @@ locals { # better controlled by users through Terraform bootstrap_cluster_creator_admin_permissions = { cluster_creator = { - principal_arn = data.aws_iam_session_context.current.issuer_arn + principal_arn = data.aws_iam_session_context.current[0].issuer_arn type = "STANDARD" policy_associations = { @@ -236,7 +237,7 @@ module "kms" { # Policy enable_default_policy = var.kms_key_enable_default_policy key_owners = var.kms_key_owners - key_administrators = coalescelist(var.kms_key_administrators, [data.aws_iam_session_context.current.issuer_arn]) + key_administrators = coalescelist(var.kms_key_administrators, [data.aws_iam_session_context.current[0].issuer_arn]) key_users = concat([local.cluster_role], var.kms_key_users) key_service_users = var.kms_key_service_users source_policy_documents = var.kms_key_source_policy_documents